Most website security advice fails in the same way: it's either a vague pep talk ("stay vigilant!") or a wall of jargon written for people who already know it. What's genuinely useful is a concrete list of things to verify, in plain language, that you can work through in an afternoon.

That's what this is — the checks that matter most for a website in 2026, grouped so you can tackle them in order. You don't need to be technical to follow it. You do need to actually go through it.

Encryption and transport

Everything starts with how data travels between your visitors and your server. Get this layer wrong and nothing above it can be trusted.

• Valid SSL/TLS certificate. Confirm it's installed correctly, matches your domain, and isn't close to expiring. An expired certificate doesn't just look bad — browsers will actively block visitors.
• Modern TLS only. Your server should be offering TLS 1.2 and 1.3 and refusing the older, broken protocols. Many sites leave legacy versions enabled out of inertia.
• HTTPS enforced everywhere. Every HTTP request should redirect to HTTPS. A single page served over plain HTTP is a way in.

Security headers

These are short instructions your server sends with every page telling the browser how to protect your visitors. They're invisible, easy to overlook, and among the most common gaps a scan turns up.

• HSTS — forces browsers to use HTTPS and refuse to downgrade.
• Content-Security-Policy — limits where scripts and resources can load from, the single most effective defence against cross-site scripting.
• X-Frame-Options — stops your site being embedded in a hidden frame to trick users into clicking things they can't see.
• X-Content-Type-Options — prevents the browser from second-guessing file types in dangerous ways.
• Permissions-Policy — controls access to sensitive browser features like camera, microphone, and location.

Software and known vulnerabilities

This is where the largest share of real breaches originate, especially on WordPress and other plugin-based platforms.

• Everything updated. Core platform, plugins, themes, and server software all current.
• No known CVEs. Every component checked against a vulnerability database so nothing you run has a published, exploitable flaw.
• No dead weight. Unused plugins and themes deleted, not just deactivated — inactive code can still be exploited.

If you only do one thing from this entire list, make it this: confirm nothing you run has a known, unpatched vulnerability. It is the single highest-value check, and the one attackers rely on you to skip.

DNS and email authentication

These records decide whether someone can impersonate your domain — a favourite tactic for phishing campaigns that trade on your reputation.

• SPF — declares which servers are allowed to send email for your domain.
• DKIM — cryptographically signs your outgoing email so it can't be forged in transit.
• DMARC — tells receiving servers what to do with mail that fails those checks, and is the piece most domains are missing.
• CAA — restricts which authorities may issue certificates for your domain.

Information disclosure

Attackers look for things you left lying around. Before they do, you should.

• No exposed backup files, database dumps, or archives reachable from a browser
• No readable debug logs or environment (.env) files leaking credentials and configuration
• Directory listing disabled, so folders don't reveal their contents to anyone who asks
• Server and software version numbers not broadcast unnecessarily in response headers

Platform hardening

If you run WordPress specifically, a few extra checks close off its most-targeted weak spots:

• User enumeration blocked, so attackers can't easily harvest valid usernames
• XML-RPC disabled or protected if you don't actively need it
• Strong admin passwords and, ideally, two-factor authentication
• File editing disabled from inside the admin dashboard

Turning the checklist into a habit

Working through this list once is worthwhile. The catch is that every item can quietly fall out of compliance over time — a certificate expires, a plugin update introduces a flaw, a DNS record gets changed. A checklist is a snapshot; security is a moving target.

That's the case for automating it. EzyAudit AI runs every check on this list — 40-plus in total — in about 90 seconds, scores the result, and with monitoring enabled re-runs it continuously so you're told the moment something slips. A single scan is $9; ongoing monitoring starts at $19 a month. Either way, the checklist stops depending on you remembering to open it.