Free Security Checklist 2025

Website Security Checklist 2025

The most comprehensive security checklist for your website. Over 70 checkpoints covering SSL/TLS, GDPR compliance, malware protection, and more. Interactive and printable as PDF.

43%

of attacks target SMBs

4.35M

avg. breach cost (EUR)

70+

security checkpoints

0 of 70+ items checked

1. SSL/TLS & HTTPS

Encryption and secure connections

Valid SSL/TLS certificate installed

Certificate must be valid and not expired - check at ssllabs.com

TLS 1.2 or TLS 1.3 enabled (older versions disabled)

TLS 1.0 and 1.1 have known vulnerabilities and should be disabled

HTTPS redirect for all HTTP requests

All traffic must be automatically redirected to HTTPS

Certificate chain complete and valid

Intermediate certificates must be correctly configured

Strong cipher suites configured

Use modern ciphers, disable weak ones like RC4, DES, 3DES

Perfect Forward Secrecy (PFS) enabled

Protects past sessions even if private key is compromised

Certificate expiration monitoring set up

Set up alerts before certificate expires (30 days in advance)

Mixed content issues resolved

No HTTP resources loaded on HTTPS pages

OCSP Stapling enabled

Improves SSL handshake performance and privacy

2. Security Headers

HTTP security headers for attack prevention

Strict-Transport-Security (HSTS) enabled

Forces HTTPS connections - include max-age and includeSubDomains

Content-Security-Policy (CSP) configured

Prevents XSS attacks by controlling resource loading sources

X-Frame-Options set to DENY or SAMEORIGIN

Prevents clickjacking attacks by controlling iframe embedding

X-Content-Type-Options set to nosniff

Prevents MIME type sniffing attacks

X-XSS-Protection enabled (for older browsers)

Legacy XSS protection - set to "1; mode=block"

Referrer-Policy configured

Controls referrer information sent with requests (strict-origin-when-cross-origin)

Permissions-Policy (Feature-Policy) set

Controls browser features like camera, microphone, geolocation

Cache-Control headers properly configured

Prevent caching of sensitive pages (no-store for private content)

Server header information hidden

Don't reveal server software versions (Apache, nginx, etc.)

4. Malware Protection

Defense against malicious software and attacks

Web Application Firewall (WAF) active

Cloudflare, Sucuri, or server-based WAF to filter malicious traffic

Regular malware scans configured

Automated scanning at least weekly for suspicious files

CMS and plugins up to date

WordPress, Joomla, Drupal etc. must be current versions

Unused plugins and themes removed

Inactive code can still contain vulnerabilities

File integrity monitoring active

Alert when core files are modified unexpectedly

SQL injection protection implemented

Use parameterized queries and input validation

XSS (Cross-Site Scripting) protection

Sanitize all user input and output encoding

CSRF (Cross-Site Request Forgery) tokens used

Protect forms and actions with unique tokens

DDoS protection enabled

CDN or hosting provider with DDoS mitigation

5. Backup & Recovery

Data backup and disaster recovery

Automated daily backups configured

Both database and files should be backed up automatically

3-2-1 backup rule followed

3 copies, 2 different media types, 1 off-site location

Backups stored in separate location

Different server or cloud storage, not on same server

Backup encryption enabled

Protect backup files with strong encryption (AES-256)

Regular backup restore tests performed

Verify backups actually work - test quarterly

Backup retention policy defined

Define how long backups are kept (daily, weekly, monthly)

Disaster recovery plan documented

Step-by-step procedure for complete site restoration

Recovery Time Objective (RTO) defined

Maximum acceptable downtime in case of disaster

6. Authentication & Access

User authentication and access control

Strong password policy enforced

Minimum 12 characters, mixed case, numbers, special chars

Two-Factor Authentication (2FA) enabled

TOTP, SMS, or hardware keys for admin accounts

Lock accounts after failed attempts, CAPTCHA

Admin URL changed from default

Don't use /admin, /wp-admin, /administrator

Principle of least privilege applied

Users only have permissions they need

Session management secure

Secure session cookies, timeout, regeneration after login

Password hashing with bcrypt or Argon2

Never store plain text or weak hashes (MD5, SHA1)

Regular user access review

Remove inactive accounts, review permissions quarterly

Secure password reset process

Time-limited tokens, no security questions, email verification

7. Server Security

Server-level security configuration

Operating system up to date

Apply security patches regularly

Web server software updated

Apache, nginx, IIS current versions

PHP/Node.js/Python updated

Programming language runtimes current and secure

Firewall configured (iptables, UFW, etc.)

Only required ports open (80, 443, SSH)

SSH secured (key auth, no root, custom port)

Disable password auth, use SSH keys, fail2ban

File permissions correctly set

Directories 755, files 644, config files 600

Directory listing disabled

Prevent browsing directory contents

Database secured (not publicly accessible)

MySQL/PostgreSQL only accessible from localhost

Sensitive files protected (.env, config)

Block access to configuration files via web

8. Monitoring & Logging

Security monitoring and audit trails

Uptime monitoring configured

Get alerts when site goes down (UptimeRobot, Pingdom)

Security event logging enabled

Log login attempts, file changes, admin actions

Error logging configured (not exposing details)

Log errors to file, show generic messages to users

Access logs analyzed regularly

Look for suspicious patterns and attacks

SSL certificate monitoring active

Alert before certificates expire

Blacklist monitoring (Google Safe Browsing)

Get alerts if site is flagged as malicious

Log retention policy defined

Keep logs long enough for forensics (90+ days)

Incident response plan documented

Steps to take when security incident occurs

Recommended Security Testing Tools

Free online tools to verify your website security configuration.

SSL Labs Server Test

Comprehensive SSL/TLS configuration analysis with detailed grading.

Test your SSL

Security Headers

Analyze HTTP security headers and get recommendations for improvement.

Scan headers

Sucuri SiteCheck

Free malware and security scanner to check for threats and blacklisting.

Scan for malware

Frequently Asked Questions

Common questions about website security.

Why is website security so important in 2025?

43% of all cyberattacks target small and medium-sized businesses. The average cost of a data breach is 4.35 million euros. Additionally, GDPR violations can result in fines of up to 4% of annual revenue. A secure website protects your business, customers, and reputation.

What security headers should every website have?

Essential security headers include: Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security (HSTS), Referrer-Policy, and Permissions-Policy. These headers protect against XSS attacks, clickjacking, and other common threats.

How often should website backups be performed?

For dynamic websites with regular content updates, daily backups are recommended. E-commerce sites should consider real-time or hourly backups. Static websites can often get by with weekly backups. Always follow the 3-2-1 rule: 3 copies, 2 different media, 1 off-site location.

What is the difference between SSL and TLS?

TLS (Transport Layer Security) is the successor to SSL (Secure Sockets Layer). Although we often say "SSL certificate", modern implementations actually use TLS 1.2 or TLS 1.3. TLS 1.3 is the current standard and offers the best security and performance.

How can I check if my website is GDPR compliant?

Key GDPR requirements include: cookie consent banner before setting non-essential cookies, privacy policy with complete data processing information, SSL encryption for all data transfers, data processing agreements with service providers, and implementation of user rights (data access, deletion, portability).

Save & Share Checklist

Save your progress or print the complete security checklist as PDF.

Request Security Audit

Your progress is automatically saved in the browser

Need Help Securing Your Website?

Our team performs professional security audits and implements comprehensive protection for your website.

Request Free Security Assessment

More Security Resources