How to Perform a Website Security Audit (with Checklist)

Why Should You Audit Your Website for Security?

Most hacks and cyber attacks happen because of poor security practices. The first step you can take to improve your online security is knowing exactly what’s installed on your website.

Having a checklist can help you stay on top of website security.

Website Audit Checklist

Here is a simplified template for a website security checklist that you can use to audit your website. We recommend doing a thorough first‑time audit.

Change default CMS Settings for:

• User settings
• Comment settings
• General visibility of information (e.g., PHP error reporting can reveal configuration details — set display_errors=Off in production, log errors to file, and hide server “signatures”/X‑Powered‑By.)
• Enforce multi‑factor authentication (MFA/2FA) for all admin accounts and control panels.
• Avoid shared accounts; do not use the default “admin” username; require strong passwords; enable login rate‑limiting/CAPTCHA; set session timeouts; and, when possible, restrict admin access by IP/VPN or WAF.

Set the most suitable file permissions

• Read, Write, or Execute
• Owner, Group, or Public
• Typical Linux guidance: files 644, directories 755; sensitive configs (e.g., wp-config.php) 600/640. Never use 777. Disable script execution in uploads/cache directories.

Check for the latest software updates

• Make sure your CMS is running on the latest version available.
• Also update the OS, web server, language runtime (PHP/Node/Python), database, and extensions; avoid end‑of‑life versions. Prefer staged auto‑updates for security patches.

Use security extensions for your CMS

• For example, for WordPress you can install website security plugins such as the Sucuri Free WordPress Security Plugin.
• Keep the total number of plugins small; prefer well‑maintained extensions with recent updates and reputable maintainers.
• Check security plugin settings

If you have installed extensions/plugins, check for:

• The latest update
• Age of extension
• Number of installs
• Whether your plugins come from legitimate and trusted sources (e.g the WordPress plugin repository).
• Also review maintainer reputation/changelog cadence and known vulnerability history; remove abandonware.

Backup your data

• Have an offsite backup.
• Set up automatic backups.
• Have a reliable recovery plan. Store a copy of the backup in a second location in case anything happens to the offsite backup and make sure you can restore your site from a backup with minimum downtime.
• Check the integrity of backups to ensure they are not corrupted or otherwise unusable.
• Follow the 3‑2‑1 rule (3 copies, 2 media, 1 offsite), encrypt backups, keep at least one immutable/offline copy.

Follow server configuration files best practices

• Familiarize yourself with web server configuration files—Apache web servers use .htaccess file; Nginx servers use nginx.conf; Microsoft IIS servers use web.config.
• Prevent directory browsing:
  • Apache: Options -Indexes
  • Nginx: autoindex off;
  • IIS: Disable Directory Browsing.
• Prevent image hotlinking:
  Lower‑priority hardening; useful for privacy/cost rather than core exploit prevention.
• Protect sensitive files:
  Block access to .git/, .svn/, .env, backups (*.zip, *.bak, *.tar), logs, and build manifests (composer/npm).
• Secure file uploads: whitelist file types, verify MIME and magic bytes, limit size/count, store outside web‑root when possible, and scan on upload.

Install an SSL certificate

• Make sure your website data in transit is encrypted. You can check out this step-by-step guide on how to install an SSL certificate.
• Setup SSH (Secure Shell) File Transfer Protocol

Use a Web Application Firewall (WAF/CDN)

Enable CMS‑specific rules, login rate‑limiting, and bot protections. If you use a CDN/WAF, restrict your origin so only the provider’s IP ranges can reach it (prevents direct bypass).

Set up automatic malware scans for your website

It is important to be up to date on the state of your website security. Use both remote (external) and server‑side scanners and enable security notifications.

Have unique passwords

Make sure all the passwords (FTP, CMS, Database, etc) are strong. Use a password manager and enable MFA wherever available.

Make sure the site is not flagged by browser/search blocklists

Browsers and search engines may warn users via blocklists (e.g., Google Safe Browsing, Microsoft Defender SmartScreen, McAfee WebAdvisor).

Ongoing Audit

After you have completed a thorough website security audit once, you still need to check up some items regularly. We recommend doing an ongoing audit as part of maintaining a good website security posture.

Here is a checklist of what needs to be constantly verified:

Update

• Check for outdated or insecure software: Include OS, web server, runtime, database, CMS, plugins/themes; watch for EOL notices.
• Passwords: Enforce MFA/2FA and a strong policy; eliminate shared accounts.

Remove

• Inactive or unused plugins
• Inactive or unsafe themes and extensions
• Unused or default admin accounts
• Sample/test files and stray backups in web‑root

Review

• User and account access – least privilege (remove shared accounts; rotate secrets)
• File permissions
• Security plugin settings
• Backup settings (3‑2‑1, encryption, immutable copy, restore tests)
• Changes to files – integrity monitoring (alert on webroot changes)
• Security headers (CSP, X‑Content‑Type‑Options, Referrer‑Policy, Permissions‑Policy, frame‑ancestors).
• WAF/CDN rules & origin lock (rate limits, admin route protection, anomaly thresholds).
• Logs & alerts (auth failures, 5xx spikes, unusual geo/IP patterns) with centralized collection.
• DNS/registrar security (2FA, domain lock, CAA; SPF/DKIM/DMARC; optional DNSSEC).
• Blocklist status (Search Console/Bing Webmaster Tools and major browser vendors).
• Dependency/vulnerability scanning and basic DAST in CI/CD.

If you are unfamiliar with any of the items shown in this checklist, you can start with this quick 8-minute read on 10 Tips to Improve Your Website Security, which covers in detail each one of the checklist items.

The Simplified Website Security Audit Checklist

You can save the simplified website security audit checklist:

☐ Change default CMS settings

• Set user settings, comment settings, and visibility of information

☐ Set the most suitable file permissions

• Read, Write, or Execute

• Owner, Group, or Public

☐ Check for the latest software and plugin updates

• Make sure your CMS is running on the latest version available

☐ Use security extensions for your CMS

• For WordPress you can install security plugins such as the Sucuri Security Plugin.

☐ If you use extensions/plugins check if they come from a legitimate source

• Check for last update, age of extension, number of installs and check if your plugins come from legitimate and trusted sources (e.g. the WordPress plugin repository)

☐ Backup your data

• Set up automatic backups and have a reliable recovery plan

• Check the integrity of backups to ensure they are not corrupted or otherwise unusable

☐ Check your server configuration files

• Be familiar with your web server configuration files

• Prevent directory browsing, image hotlinking, and protect sensitive files

☐ Install an SSL certificate

• Set up SSH (Secure Shell) File Transfer Protocol

☐ Set automatic malware scans for your website

• It is important to be up to date on the state of your website security

☐ Have unique and strong passwords

☐ Make sure the site is not blacklisted

Additional WordPress hardening tips (recommended):

• Change the default “admin” username; enforce MFA; limit login attempts.
• Set DISALLOW_FILE_EDIT (and consider DISALLOW_FILE_MODS if updates are handled via CI/CD).
• Move wp-config.php one level above web‑root where possible; restrict access in server config.
• Disable XML‑RPC if unused; restrict sensitive REST endpoints.
• Keep plugin/theme count minimal; verify checksums with WP‑CLI; remove inactive/abandoned items.

The Sucuri Security WordPress Plugin

If your website uses WordPress, you can install our free WordPress website security plugin that offers:

• Security Activity Auditing
• File Integrity Monitoring
• Remote Malware Scanning
• Blocklist Monitoring
• Effective Security Hardening
• Post-Hack Security Actions
• Security Notifications
• Website Firewall (premium)

Conclusion

The good news is that as you continue to audit your website for security, it’s more efficient and auditing will take less time. Most importantly, knowing exactly what you have installed and keeping your website updated reduces the chances of an attacker having access to your assets. Website monitoring is a crucial part of website security and should not be overlooked.

The Sucuri monitoring platform combines a remote scanner with a server-side scanner so you can have clear visibility on the state of your website security. Our website security platform offers website monitoring, protection, and response in case of hacks and attacks.

Attackers are always trying to find new tactics and means of access. Just as you work to keep your website clean and updated, it’s important you update your website security knowledge as well. Lastly, continue to read blog posts, articles, reports on the latest news regarding your CMS or website environment.