Why Should You Audit Your Website for Security?
Most hacks and cyber attacks happen because of poor security practices. The first step you can take to improve your online security is knowing exactly what’s installed on your website.
Having a checklist can help you stay on top of website security.
Website Audit Checklist
Here is a simplified template for a website security checklist that you can use to audit your website. We recommend doing a thorough first- time audit.
Change default CMS Settings for:
- User settings
- Comment settings
- General visibility of information (e.g PHP error reporting can reveal configuration details)
Set the most suitable file permissions
- Read, Write, or Execute
- Owner, Group, or Public
Check for the latest software updates
- Make sure your CMS is running on the latest version available.
Use security extensions for your CMS
- For example, for WordPress you can install website security plugins such as the Sucuri Free WordPress Security Plugin.
- Check security plugin settings
If you have installed extensions/plugins, check for:
- the latest update,
- age of extension,
- number of installs,
- and if your plugins come from legitimate and trusted sources (e.g the WordPress plugin repository).
Backup your data
- Have an offsite backup.
- Setup automatic backups.
- Have a reliable recovery plan. Store a copy of the backup in a second location in case anything happens to the offsite backup and make sure you can restore your site from a backup with minimum downtime.
- Check the integrity of backups to ensure they are not corrupted or otherwise unusable.
Follow server configuration files best practices
- Familiarize yourself with web server configuration files—Apache web servers use .htaccess file; Nginx servers use nginx.con; Microsoft IIS servers use web.config
- Prevent directory browsing
- Prevent image hotlinking
- Protect sensitive files
Install an SSL certificate
- Make sure your website data in transit is encrypted. You can check out this step-by-step guide on how to install an SSL certificate.
- Setup SSH (Secure Shell) File Transfer Protocol
Set automatic malware scans for your website
- It is important to be up to date on the state of your website security.
Have unique passwords
Make sure all the passwords (FTP, CMS, Database, etc) are strong.
Make sure the site is not blacklisted
Website blacklist authorities, such as Google or McAffe SiteAdvisor add warnings to infected web pages.
After you have completed a thorough website security audit once, you still need to check up some items regularly. We recommend doing an ongoing audit as part of maintaining a good website security posture.
Here is a checklist of what needs to be constantly verified:
- Check for outdated or insecure software
- Inactive or unused plugins
- Inactive or unsafe themes and extensions
- User and account access – least privilege
- File permissions
- Security plugin settings
- Backup settings
- SSL Certificate
- Changes to files – integrity monitoring
If you are unfamiliar with any of the items shown in this checklist, you can start with this quick 8-minute read on 10 Tips to Improve Your Website Security blog post, which covers in detail each one of the checklist items.
The Simplified Website Security Audit Checklist
You can save the simplified website security audit checklist:
The Sucuri Security WordPress Plugin
If your website uses WordPress, you can install our free WordPress website security plugin that offers:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (premium)
The good news is that as you continue to audit your website for security, it’s more efficient and auditing will take less time. Most importantly, knowing exactly what you have installed and keeping your website updated reduces the chances of an attacker having access to your assets. Website monitoring is a crucial part of website security and should not be overlooked.
The Sucuri monitoring platform combines a remote scanner with a server-side scanner so you can have clear visibility on the state of your website security. Our website security platform offers website monitoring, protection, and response in case of hacks and attacks.
Attackers are always trying to find new tactics and means of access. Just as you work to keep your website clean and updated, it’s important you update your website security knowledge as well. Lastly, continue to read blog posts, articles, reports on the latest news regarding your CMS or website environment.