Back to Blog
Security 2026-01-20 8 min read

Website Security Audit Checklist 2026

A complete step-by-step checklist to audit your website security. Cover every attack surface before hackers do.

Security Audit

Why You Need a Security Audit

Most websites get compromised not through sophisticated zero-day attacks but through basic misconfigurations that a 10-minute audit would catch. An SSL certificate expired weeks ago. An admin panel exposed to the internet. A security header missing that would have blocked an XSS attack.

This checklist covers every layer of your website security — from SSL to application headers to open ports. Work through it once a quarter.

1. SSL / TLS

Certificate is valid and not expiring within 30 days
Using TLS 1.2 or 1.3 only — TLS 1.0 and 1.1 disabled
No weak cipher suites (RC4, DES, 3DES disabled)
Certificate covers all subdomains in use
Auto-renewal configured
HSTS header present with long max-age

2. Security Headers

Content-Security-Policy configured
X-Frame-Options set to DENY or SAMEORIGIN
X-Content-Type-Options: nosniff present
Referrer-Policy configured
Permissions-Policy set
No server version disclosed in headers

3. Network & Ports

Only necessary ports open (80, 443 for web)
Admin ports (8080, 8443, 3000) not exposed publicly
Database ports (3306, 5432, 27017) firewalled
SSH on non-standard port or restricted by IP
No unnecessary services running

4. Authentication

Admin panel not accessible at /admin, /wp-admin publicly
Strong password policy enforced (min 12 characters)
Multi-factor authentication enabled for admin accounts
Rate limiting on login endpoints
Account lockout after failed attempts
Session tokens expire and rotate properly

5. Application Security

All dependencies up to date — no known CVEs
SQL injection protections in place (parameterized queries)
XSS protections — input sanitized and CSP configured
CSRF tokens on all state-changing forms
File upload restrictions — type and size validation
Error pages do not expose stack traces

6. Monitoring & Response

Uptime monitoring active
SSL expiry alerts configured
Automated security scans scheduled
Incident response plan documented
Backup and recovery tested in last 30 days
Logs retained and monitored for anomalies

How Often to Run This Audit

Weekly
Automated scan with ScanYour.Site
Monthly
Review findings and patch critical issues
Quarterly
Full manual audit using this checklist

Run this checklist automatically

ScanYour.Site checks SSL, headers, open ports, and more in one scan. Get a score and actionable findings in under 60 seconds.

Scan My Site Now