How to Perform a Website Security Audit ( with Checklist)

Malicious Android APK

Why Should You Audit Your Website for Security?

Most hacks and cyber attacks happen because of poor security practices. The first step you can take to improve your online security is knowing exactly what’s installed on your website.

Having a checklist can help you stay on top of website security.

Website Audit Checklist

Here is a simplified template for a website security checklist that you can use to audit your website. We recommend doing a thorough first- time audit.

Change default CMS Settings for:

  • User settings
  • Comment settings
  • General visibility of information (e.g PHP error reporting can reveal configuration details)

Set the most suitable file permissions

  • Read, Write, or Execute
  • Owner, Group, or Public

Check for the latest software updates

  • Make sure your CMS is running on the latest version available.

Use security extensions for your CMS

If you have installed extensions/plugins, check for:

  • the latest update,
  • age of extension,
  • number of installs,
  • and if your plugins come from legitimate and trusted sources (e.g the WordPress plugin repository).

Backup your data

  • Have an offsite backup.
  • Setup automatic backups.
  • Have a reliable recovery plan. Store a copy of the backup in a second location in case anything happens to the offsite backup and make sure you can restore your site from a backup with minimum downtime.
  • Check the integrity of backups to ensure they are not corrupted or otherwise unusable.

Follow server configuration files best practices

  • Familiarize yourself with web server configuration files—Apache web servers use .htaccess file; Nginx servers use nginx.con; Microsoft IIS servers use web.config
  • Prevent directory browsing
  • Prevent image hotlinking
  • Protect sensitive files

Install an SSL certificate

Set automatic malware scans for your website

Have unique passwords

Make sure all the passwords (FTP, CMS, Database, etc) are strong.

Make sure the site is not blacklisted

Website blacklist authorities, such as Google or McAffe SiteAdvisor add warnings to infected web pages.

Ongoing Audit

After you have completed a thorough website security audit once, you still need to check up some items regularly. We recommend doing an ongoing audit as part of maintaining a good website security posture.

Here is a checklist of what needs to be constantly verified:


  • Check for outdated or insecure software
  • Passwords


  • Inactive or unused plugins
  • Inactive or unsafe themes and extensions


  • User and account access – least privilege
  • File permissions
  • Security plugin settings
  • Backup settings
  • SSL Certificate
  • Changes to files – integrity monitoring

If you are unfamiliar with any of the items shown in this checklist, you can start with this quick 8-minute read on 10 Tips to Improve Your Website Security blog post, which covers in detail each one of the checklist items.

The Simplified Website Security Audit Checklist

You can save the simplified website security audit checklist:

Simplified Website Audit Checklist
Simplified Website Audit Checklist

The Sucuri Security WordPress Plugin

If your website uses WordPress, you can install our free WordPress website security plugin that offers:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)
Sucuri Security Free WordPress Plugin – Auditing, Malware Scanner and Security Hardening
Sucuri Security Free WordPress Plugin – Auditing, Malware Scanner and Security Hardening


The good news is that as you continue to audit your website for security, it’s more efficient and auditing will take less time. Most importantly, knowing exactly what you have installed and keeping your website updated reduces the chances of an attacker having access to your assets. Website monitoring is a crucial part of website security and should not be overlooked.

The Sucuri monitoring platform combines a remote scanner with a server-side scanner so you can have clear visibility on the state of your website security. Our website security platform offers website monitoring, protection, and response in case of hacks and attacks.

Attackers are always trying to find new tactics and means of access. Just as you work to keep your website clean and updated, it’s important you update your website security knowledge as well. Lastly, continue to read blog posts, articles, reports on the latest news regarding your CMS or website environment.

You May Also Like