• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Malicious Android APK

How to Perform a Website Security Audit ( with Checklist)

July 24, 2019Pilar Garcia

FacebookTwitterSubscribe

Why Should You Audit Your Website for Security?

Most hacks and cyber attacks happen because of poor security practices. The first step you can take to improve your online security is knowing exactly what’s installed on your website.

Having a checklist can help you stay on top of website security.

Website Audit Checklist

Here is a simplified template for a website security checklist that you can use to audit your website. We recommend doing a thorough first- time audit.

Change default CMS Settings for:

  • User settings
  • Comment settings
  • General visibility of information (e.g PHP error reporting can reveal configuration details)

Set the most suitable file permissions

  • Read, Write, or Execute
  • Owner, Group, or Public

Check for the latest software updates

  • Make sure your CMS is running on the latest version available.

Use security extensions for your CMS

  • For example, for WordPress you can install website security plugins such as the Sucuri Free WordPress Security Plugin.
  • Check security plugin settings

If you have installed extensions/plugins, check for:

  • the latest update,
  • age of extension,
  • number of installs,
  • and if your plugins come from legitimate and trusted sources (e.g the WordPress plugin repository).

Backup your data

  • Have an offsite backup.
  • Setup automatic backups.
  • Have a reliable recovery plan. Store a copy of the backup in a second location in case anything happens to the offsite backup and make sure you can restore your site from a backup with minimum downtime.
  • Check the integrity of backups to ensure they are not corrupted or otherwise unusable.

Follow server configuration files best practices

  • Familiarize yourself with web server configuration files—Apache web servers use .htaccess file; Nginx servers use nginx.con; Microsoft IIS servers use web.config
  • Prevent directory browsing
  • Prevent image hotlinking
  • Protect sensitive files

Install an SSL certificate

  • Make sure your website data in transit is encrypted. You can check out this step-by-step guide on how to install an SSL certificate.
  • Setup SSH (Secure Shell) File Transfer Protocol

Set automatic malware scans for your website

  • It is important to be up to date on the state of your website security.

Have unique passwords

Make sure all the passwords (FTP, CMS, Database, etc) are strong.

Make sure the site is not blacklisted

Website blacklist authorities, such as Google or McAffe SiteAdvisor add warnings to infected web pages.

Ongoing Audit

After you have completed a thorough website security audit once, you still need to check up some items regularly. We recommend doing an ongoing audit as part of maintaining a good website security posture.

Here is a checklist of what needs to be constantly verified:

Update

  • Check for outdated or insecure software
  • Passwords

Remove

  • Inactive or unused plugins
  • Inactive or unsafe themes and extensions

Review

  • User and account access – least privilege
  • File permissions
  • Security plugin settings
  • Backup settings
  • SSL Certificate
  • Changes to files – integrity monitoring

If you are unfamiliar with any of the items shown in this checklist, you can start with this quick 8-minute read on 10 Tips to Improve Your Website Security blog post, which covers in detail each one of the checklist items.

The Simplified Website Security Audit Checklist

You can save the simplified website security audit checklist:

Simplified Website Audit Checklist
Simplified Website Audit Checklist

The Sucuri Security WordPress Plugin

If your website uses WordPress, you can install our free WordPress website security plugin that offers:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)
Sucuri Security Free WordPress Plugin – Auditing, Malware Scanner and Security Hardening
Sucuri Security Free WordPress Plugin – Auditing, Malware Scanner and Security Hardening

Conclusion

The good news is that as you continue to audit your website for security, it’s more efficient and auditing will take less time. Most importantly, knowing exactly what you have installed and keeping your website updated reduces the chances of an attacker having access to your assets. Website monitoring is a crucial part of website security and should not be overlooked.

The Sucuri monitoring platform combines a remote scanner with a server-side scanner so you can have clear visibility on the state of your website security. Our website security platform offers website monitoring, protection, and response in case of hacks and attacks.

Attackers are always trying to find new tactics and means of access. Just as you work to keep your website clean and updated, it’s important you update your website security knowledge as well. Lastly, continue to read blog posts, articles, reports on the latest news regarding your CMS or website environment.

FacebookTwitterSubscribe

Categories: Security Education, Website SecurityTags: Website Monitoring

About Pilar Garcia

Pilar Garcia is Sucuri's Paid Acquisition Specialist who joined the company in 2017. Pilar's main responsibilities include managing social, paid social, and paid ads. Pilar's professional experience covers 17 years of learning, leadership, and development, five years of digital marketing experience, and two years of quality assurance. When Pilar isn't looking into ads or social, you can find her reading, cooking, or spending time with her family. Connect with Pilar on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.