Common Website Vulnerabilities Checklist: What to Check & Fix
A focused list of the most common, most preventable website vulnerabilities — most checkable and fixable within an afternoon.
Cross-Site Scripting (XSS)
Occurs when user-controllable input gets rendered back into a page without proper escaping, letting an attacker inject a malicious script that runs in other visitors' browsers. Check: does any input field, URL parameter, or comment system reflect content back onto the page unescaped? Fix: escape output based on context (HTML entity encoding for HTML content, JavaScript string encoding within scripts), and deploy a restrictive Content-Security-Policy as a critical second layer of defense.
Missing Security Headers
HSTS, CSP, X-Frame-Options, and related headers are free, zero-code-change defenses that a surprising number of sites simply never configure. Check: run your domain through our Security Headers Checker for an instant graded breakdown. Fix: add missing headers at the server or CDN configuration level — see our full Security Headers Explained guide.
Information Disclosure
Server banners, verbose error messages, and exposed debug endpoints can hand an attacker a roadmap of your stack and its potential weak points. Check: use our HTTP Headers Checker to see if Server/X-Powered-By headers reveal specific version numbers; check that error pages don't display stack traces or internal file paths in production. Fix: disable verbose errors in production, genericize or remove version-revealing headers.
Weak Authentication
Weak or reused passwords and missing two-factor authentication remain among the most common actual breach vectors, more so than sophisticated exploits. Check: does your admin panel enforce a reasonable password policy? Is 2FA available and required for accounts with write access? Fix: enforce strong password requirements and enable 2FA universally for privileged accounts — see our Password Generator for generating genuinely strong credentials.
Outdated Software & Plugins
Unpatched known vulnerabilities in CMS platforms, plugins, and libraries are actively, continuously scanned for by automated bots the moment a CVE is published. Check: review your CMS admin dashboard's plugin/theme update list, and check dependency management tools (npm audit, pip-audit, etc) for known vulnerable packages. Fix: establish a regular patching cadence rather than updating reactively only after an incident.
Cross-Site Request Forgery (CSRF)
Tricks an authenticated user's browser into submitting an unintended request to your site (like changing their password or making a purchase) by exploiting the fact that browsers automatically attach cookies to same-origin requests, even ones triggered from a malicious third-party page. Check: do state-changing forms (password change, fund transfer, settings update) include and validate a CSRF token? Fix: implement CSRF tokens on all state-changing requests, and set the SameSite cookie attribute to Lax or Strict as an additional defense layer.
Free Tools to Check Each Item
| Vulnerability Area | Free Check |
|---|---|
| Security headers, HSTS, CSP | Security Headers Checker |
| SSL/TLS certificate status | SSL Certificate Checker |
| Server/stack information disclosure | HTTP Headers Checker |
| Combined overview across categories | Website Security Scanner |
| Email spoofing exposure | SPF Lookup & DKIM Lookup |
For the full 20-point sitewide audit, see our Website Security Checklist.