How to Run a Website Security Audit: Complete Guide
A structured way to review a website's security posture, without needing an enterprise budget or a dedicated security team.
Step 1: Define Scope
Before checking anything, decide what's actually in scope: the main domain, all subdomains, any staging or admin environments, and email sending infrastructure. A surprisingly common audit gap is checking the main site thoroughly while completely overlooking a forgotten staging subdomain still publicly accessible with weaker security than production.
Step 2: Transport Layer
Confirm the SSL/TLS certificate is valid and not expiring soon, using our SSL Certificate Checker — check every relevant hostname's certificate, not just the primary domain. Verify HTTPS is enforced site-wide with no lingering HTTP-accessible pages, and that HSTS is configured to prevent downgrade attacks on the very first connection.
Step 3: Application-Level Headers
Run Security Headers Checker for a graded breakdown of HSTS, CSP, X-Frame-Options, and related defenses. Separately, use HTTP Headers Checker to check for information disclosure — verbose Server or X-Powered-By headers that unnecessarily reveal specific software versions to potential attackers.
Step 4: Email & Domain Security
Check SPF configuration with SPF Lookup and DKIM with DKIM Lookup for every sending source — not just your primary mail provider, but any marketing or transactional email platform too. Confirm a DMARC record exists and ideally sits at an enforcement policy (quarantine or reject) rather than monitoring-only (none).
Step 5: Access Control
Review who has administrative access to your CMS, hosting dashboard, domain registrar, and DNS provider — audit for former employees or contractors who still retain access unnecessarily. Confirm two-factor authentication is enabled and enforced for every account with write access, not just optionally available.
Step 6: Prioritizing Findings
| Finding Severity | Example | Typical Fix Timeline |
|---|---|---|
| Critical — fix immediately | Expired or expiring certificate, no CSRF protection on sensitive forms | Same day |
| High — fix this week | Missing HSTS/CSP, no email authentication at all | Within a week |
| Medium — schedule a fix | Verbose server headers, outdated non-critical plugin | Within a month |
| Low — track, revisit | Missing Permissions-Policy, minor best-practice gaps | Next planned maintenance window |
Run a combined pass quickly with Website Security Scanner to get an at-a-glance overall picture before diving into individual category detail.
Building a Re-Audit Cadence
A one-time audit degrades in value quickly as configurations drift — a hosting migration, CDN change, or new third-party integration can silently undo prior fixes. A reasonable cadence for most small-to-medium sites: full audit quarterly, plus an immediate re-check after any significant infrastructure change (new host, CDN provider, DNS migration, or major platform upgrade).