Use this checklist to ensure your website is secure from common threats and vulnerabilities.
Account Security
- [ ] Use a strong, unique password for your hosting account
- [ ] Enable two-factor authentication
- [ ] Use a unique email for your hosting account
- [ ] Review account access logs regularly
- [ ] Remove unused FTP accounts
SSL & Encryption
- [ ] SSL certificate installed and valid
- [ ] Force HTTPS redirect enabled
- [ ] No mixed content warnings
- [ ] HSTS enabled (advanced)
Software Updates
- [ ] CMS updated to latest version
- [ ] All plugins/extensions updated
- [ ] Themes updated
- [ ] PHP version is current and supported
- [ ] Unused plugins/themes removed
Access Control
- [ ] No default usernames (admin, administrator)
- [ ] Strong passwords for all users
- [ ] Remove inactive user accounts
- [ ] Appropriate user permissions set
- [ ] Login attempt limiting enabled
File Security
- [ ] Correct file permissions (644 files, 755 folders)
- [ ] Directory listing disabled
- [ ] Sensitive files protected (.htaccess, wp-config.php)
- [ ] File integrity monitoring enabled
Backup & Recovery
- [ ] Automated daily backups configured
- [ ] Backups stored offsite
- [ ] Backup restore tested recently
- [ ] Disaster recovery plan documented
Monitoring
- [ ] Uptime monitoring active
- [ ] Security scanning enabled
- [ ] Error logs reviewed regularly
- [ ] Failed login monitoring
Email Security
- [ ] SPF record configured
- [ ] DKIM enabled
- [ ] DMARC policy set
- [ ] Spam filtering active
Firewall & Protection
- [ ] Web Application Firewall enabled
- [ ] DDoS protection active
- [ ] Malicious IP blocking
- [ ] Rate limiting configured
Additional Measures
- [ ] Security headers configured
- [ ] XML-RPC disabled (WordPress)
- [ ] Admin areas protected
- [ ] Regular security audits scheduled
Review this checklist monthly and after any security incidents.
Tags:#security#checklist#protection#audit