How to Perform a Website Security Audit ( with Checklist)

Why Should You Audit Your Website for Security?

Most hacks and cyber attacks happen because of poor security practices. The first step you can take to improve your online security is knowing exactly what’s installed on your website.

Having a checklist can help you stay on top of website security.

Website Audit Checklist

Here is a simplified template for a website security checklist that you can use to audit your website. We recommend doing a thorough first- time audit.

Change default CMS Settings for:

• User settings
• Comment settings
• General visibility of information (e.g PHP error reporting can reveal configuration details)

Set the most suitable file permissions

• Read, Write, or Execute
• Owner, Group, or Public

Check for the latest software updates

• Make sure your CMS is running on the latest version available.

Use security extensions for your CMS

• For example, for WordPress you can install website security plugins such as the Sucuri Free WordPress Security Plugin.
• Check security plugin settings

If you have installed extensions/plugins, check for:

• the latest update,
• age of extension,
• number of installs,
• and if your plugins come from legitimate and trusted sources (e.g the WordPress plugin repository).

Backup your data

• Have an offsite backup.
• Setup automatic backups.
• Have a reliable recovery plan. Store a copy of the backup in a second location in case anything happens to the offsite backup and make sure you can restore your site from a backup with minimum downtime.
• Check the integrity of backups to ensure they are not corrupted or otherwise unusable.

Follow server configuration files best practices

• Familiarize yourself with web server configuration files—Apache web servers use .htaccess file; Nginx servers use nginx.con; Microsoft IIS servers use web.config
• Prevent directory browsing
• Prevent image hotlinking
• Protect sensitive files

Install an SSL certificate

• Make sure your website data in transit is encrypted. You can check out this step-by-step guide on how to install an SSL certificate.
• Setup SSH (Secure Shell) File Transfer Protocol

Set automatic malware scans for your website

• It is important to be up to date on the state of your website security.

Have unique passwords

Make sure all the passwords (FTP, CMS, Database, etc) are strong.

Make sure the site is not blacklisted

Website blacklist authorities, such as Google or McAffe SiteAdvisor add warnings to infected web pages.

Ongoing Audit

After you have completed a thorough website security audit once, you still need to check up some items regularly. We recommend doing an ongoing audit as part of maintaining a good website security posture.

Here is a checklist of what needs to be constantly verified:

Update

• Check for outdated or insecure software
• Passwords

Remove

• Inactive or unused plugins
• Inactive or unsafe themes and extensions

Review

• User and account access – least privilege
• File permissions
• Security plugin settings
• Backup settings
• SSL Certificate
• Changes to files – integrity monitoring

If you are unfamiliar with any of the items shown in this checklist, you can start with this quick 8-minute read on 10 Tips to Improve Your Website Security blog post, which covers in detail each one of the checklist items.

The Simplified Website Security Audit Checklist

You can save the simplified website security audit checklist:

The Sucuri Security WordPress Plugin

If your website uses WordPress, you can install our free WordPress website security plugin that offers:

• Security Activity Auditing
• File Integrity Monitoring
• Remote Malware Scanning
• Blacklist Monitoring
• Effective Security Hardening
• Post-Hack Security Actions
• Security Notifications
• Website Firewall (premium)

Conclusion

The good news is that as you continue to audit your website for security, it’s more efficient and auditing will take less time. Most importantly, knowing exactly what you have installed and keeping your website updated reduces the chances of an attacker having access to your assets. Website monitoring is a crucial part of website security and should not be overlooked.

The Sucuri monitoring platform combines a remote scanner with a server-side scanner so you can have clear visibility on the state of your website security. Our website security platform offers website monitoring, protection, and response in case of hacks and attacks.

Attackers are always trying to find new tactics and means of access. Just as you work to keep your website clean and updated, it’s important you update your website security knowledge as well. Lastly, continue to read blog posts, articles, reports on the latest news regarding your CMS or website environment.