The Complete Website Security Checklist for 2026

Whether you manage a single blog or a portfolio of client websites, this checklist covers the security controls that matter most. Use it as a reference, run it against your own sites, and address anything you find missing.

Better still — run an automated scan with EzyAudit AI and get all of this checked for you in 90 seconds, with a prioritised list of what to fix first.

1. SSL / TLS Configuration

• Valid SSL certificate installed — your site must serve HTTPS on all pages
• Certificate not expiring soon — renew at least 30 days before expiry; enable auto-renewal
• TLS 1.2 and 1.3 enabled — TLS 1.0 and 1.1 are deprecated and must be disabled
• Strong cipher suites only — disable RC4, DES, 3DES, and EXPORT ciphers
• Forward secrecy enabled — use ECDHE or DHE key exchange
• HTTP/2 supported — improves performance and security

2. HTTP Security Headers

• HSTS (Strict-Transport-Security) — max-age=31536000; includeSubDomains; preload
• Content-Security-Policy — defines which sources can load scripts, styles and media
• X-Frame-Options: SAMEORIGIN — prevents clickjacking attacks
• X-Content-Type-Options: nosniff — prevents MIME-type sniffing
• Referrer-Policy — controls what referrer information is sent to external sites
• Permissions-Policy — restricts access to browser APIs like camera and microphone
• X-XSS-Protection — enables XSS filtering in older browsers
• security.txt — provides a channel for responsible vulnerability disclosure

3. DNS and Email Authentication

• SPF record — specifies which servers can send email for your domain
• DMARC with enforcement — p=quarantine or p=reject stops spoofed emails reaching inboxes
• DKIM configured — cryptographically signs outgoing email to verify authenticity
• CAA records — restricts which Certificate Authorities can issue SSL certs for your domain

4. Plugin, Theme, and CMS Security

• WordPress core up to date — always run the latest stable release
• All plugins updated — check for updates at least weekly; enable auto-updates where possible
• All themes updated — including inactive themes (delete themes you do not use)
• No plugins with known CVEs — check against NVD or run an automated vulnerability scan
• Minimal plugin footprint — every additional plugin is an additional attack surface; deactivate and delete unused ones

5. HTTPS Enforcement and Redirect Configuration

• HTTP redirects to HTTPS — all HTTP requests should receive a 301 redirect to HTTPS
• Consistent www/non-www — choose one canonical form and redirect the other
• No mixed content — all resources (images, scripts, stylesheets) must load over HTTPS

6. Cookie Security

• Secure flag on all cookies — ensures cookies are only sent over HTTPS
• HttpOnly flag — prevents JavaScript from accessing session cookies (mitigates XSS)
• SameSite attribute — Strict or Lax setting prevents CSRF attacks

7. Information Disclosure Prevention

• No exposed .env files — environment files containing secrets must not be web-accessible
• No phpinfo() pages — delete any phpinfo.php or info.php files from your web root
• No exposed database backups — never store .sql, .zip, or database dump files in your web root
• Server version hidden — suppress the Server and X-Powered-By headers
• Directory listing disabled — Options -Indexes in Apache or autoindex off in Nginx
• No exposed .git directory — never deploy from a git repository without blocking .git access
• WordPress readme.html deleted — remove or block access to expose the WP version

8. WordPress-Specific Controls

• User enumeration blocked — prevent disclosure of usernames via the REST API and author archives
• XML-RPC disabled — unless specifically needed; blocks brute-force and DDoS amplification attacks
• Debug log not publicly accessible — set WP_DEBUG_LOG path outside web root or disable in production
• Login URL not default — consider moving /wp-login.php to reduce automated brute-force attempts
• Two-factor authentication — on all admin accounts

9. Network and WAF

• Web Application Firewall in place — Cloudflare, Sucuri, or Wordfence
• Sensitive ports closed — database, cache, and management ports (3306, 6379, 9200) should not be publicly accessible
• CORS policy configured — do not use wildcard (*) Access-Control-Allow-Origin headers

Run This Entire Checklist Automatically

EzyAudit AI checks every item on this list (and more) automatically in around 90 seconds. You get a prioritised list of what to fix, plain-English explanations of why each item matters, and exact steps to resolve each issue. Start your free scan today and know exactly where you stand.