Skip to content

Website security: complete checklist

Last updated: 31 December 2025

Why website security is essential

Thousands of websites are hacked daily. The consequences: data loss, reputation damage, SEO penalties, and potentially GDPR fines. This checklist helps you implement the most important security measures.

Basic security

SSL certificate

  • HTTPS active on all pages
  • HTTP traffic redirects to HTTPS
  • No mixed content warnings
  • Certificate auto-renewing

Strong passwords

  • Minimum 12 characters with letters, numbers, and symbols
  • Unique passwords per account
  • Password manager in use
  • No default admin usernames

Two-factor authentication

  • 2FA active for admin accounts
  • Backup codes safely stored
  • 2FA for FTP/SSH access where possible

Software up-to-date

CMS and plugins

  • Latest version of WordPress/Joomla/Drupal
  • All plugins and themes updated
  • Unused plugins removed
  • Automatic updates enabled

Server

  • PHP version current (8.1+)
  • Operating system patched
  • Web server (Apache/Nginx) updated

Access management

Limited rights

  • Only necessary users have admin rights
  • FTP accounts limited to required folders
  • Database users have minimal rights

Login security

  • Limited login attempts (e.g., 5 attempts, then block)
  • CAPTCHA on login forms
  • IP whitelist for admin area (optional)
  • Admin URL changed (WordPress)

Backups

  • Daily automatic backups
  • Backups stored at external location
  • Database and files backed up separately
  • Restore regularly tested

Monitoring

Activity logging

  • Login attempts are logged
  • File changes are detected
  • Error messages are tracked

Uptime monitoring

  • External monitoring active
  • Alerts on downtime
  • SSL expiration warnings set

Advanced measures

Security headers

  • Content-Security-Policy
  • X-Content-Type-Options
  • X-Frame-Options
  • Strict-Transport-Security (HSTS)

Web Application Firewall

  • WAF active (Cloudflare, Sucuri, or hosting-level)
  • Rules configured for your application
  • False positives tested

Malware scanning

  • Regular scans scheduled
  • Real-time monitoring active
  • Quarantine procedure known

Emergency procedures

  • Hosting provider contact details at hand
  • Backups available for restore
  • Know how to take site offline
  • Incident reporting process documented

Start with basic security and work your way up. Every implemented measure significantly improves your security.

Was this article helpful?

Compare hosting packages directly to find the best choice for your situation.

Related articles

What is web hosting? Explanation for beginners

Discover what web hosting is and how it works. Complete explanation about servers, domains and different hosting types for beginners.

What is VPS Hosting?

VPS hosting explained: what is a Virtual Private Server, who is it suitable for and what are the advantages compared to shared hosting?

What is an SSL Certificate?

Everything about SSL certificates: what is SSL, why do you need it and how do you recognize a secure website? Essential for every website.

What is Uptime in Web Hosting?

What does uptime mean in web hosting? Learn about uptime percentages, SLA guarantees and why 99.9% uptime is important for your website.

How much storage do I need for my website?

Discover how much disk space you really need for your website. Practical guide with examples per website type.

Ready to choose?

Compare hosting packages