Security Guides
Website Security Checklist 2026 — 50 Things to Verify Right Now
📅 March 11, 2026
⏱️ 8 min read
By VulnScan Security Team
85% of websites have at least one serious security vulnerability. This checklist covers 50 actionable security items across every layer of your website — from TLS configuration to server hardening. Use VulnScan's free scanner to automatically check many of these items.
SSL/TLS Configuration (5 Checks)
- ☐ HTTPS forced on all pages (no HTTP)
- ☐ SSL certificate valid and not expiring within 30 days
- ☐ TLS 1.2+ only (disable SSLv3, TLS 1.0, TLS 1.1)
- ☐ Strong cipher suites (no RC4, DES, 3DES)
- ☐ HTTP Strict Transport Security (HSTS) header enabled
HTTP Security Headers (8 Checks)
- ☐ Content-Security-Policy (CSP) header present
- ☐ X-Frame-Options: DENY or SAMEORIGIN
- ☐ X-Content-Type-Options: nosniff
- ☐ Referrer-Policy set appropriately
- ☐ Permissions-Policy (Feature-Policy) configured
- ☐ Server header not revealing software version
- ☐ X-Powered-By header removed
- ☐ CORS policy correctly configured
Authentication & Access Control (10 Checks)
- ☐ Multi-factor authentication available (ideally required)
- ☐ Login rate limiting (prevent brute force)
- ☐ Account lockout after N failed attempts
- ☐ No default admin credentials
- ☐ Admin panel not on default URL (/admin, /wp-admin)
- ☐ Password reset via one-time token (not email of actual password)
- ☐ Session tokens invalidated on logout
- ☐ No sensitive data in URL parameters
- ☐ Horizontal privilege escalation tested (IDOR)
- ☐ Vertical privilege escalation tested
Injection Prevention (7 Checks)
- ☐ All database queries use parameterized statements
- ☐ No raw SQL with user input concatenation
- ☐ HTML output properly encoded (prevents XSS)
- ☐ File upload validates type, not just extension
- ☐ XML parsing with external entity processing disabled
- ☐ eval() and equivalent not used with user input
- ☐ OS commands not called with user input
WordPress-Specific Checks (10 Items)
- ☐ WordPress core is latest version
- ☐ All plugins on latest version
- ☐ Inactive plugins deleted (not just deactivated)
- ☐ Username is not "admin"
- ☐ XML-RPC disabled if not needed
- ☐ File editing in admin panel disabled
- ☐ wp-config.php outside web root
- ☐ Database prefix changed from wp_
- ☐ Login attempts limited (plugin or server)
- ☐ Security scan done with external scanner
Quick Scan — Check All of These Automatically
Rather than checking each item manually, run a free VulnScan vulnerability scan on your domain. Our scanner automatically tests for 200+ security issues including SSL configuration, HTTP headers, common injection vectors, and known CVEs — in 60 seconds.
Frequently Asked Questions
How often should I run a website security check?
Run a security scan monthly at minimum, and after any major code deployment or plugin update. High-traffic or e-commerce sites should scan weekly. VulnScan's free scanner lets you check as often as you want.
What is the most important website security check?
HTTPS/SSL is the baseline, but the most impactful checks are: no SQL injection, no XSS, proper authentication, and up-to-date software. SQL injection and XSS together account for about 50% of web application breaches.