Website Security Checklist for Non-Technical Teams

Website security is not just for developers. If you run a website, you are responsible for protecting it from attacks, data breaches, and unauthorized access. The good news is that most website security comes down to consistent basics, not advanced technical skills.

This checklist covers the security measures every website owner should have in place, explained in plain language. You do not need to be a developer to follow it. For monitoring your site's ongoing health, see our website maintenance and monitoring guide.

The Checklist

HTTPS and SSL

Use HTTPS on every page. HTTPS encrypts data between your visitors' browsers and your server. Without it, passwords, form submissions, and personal information travel over the internet in plain text. Modern browsers flag HTTP sites as "Not Secure," which scares visitors away.

• [ ] Your site loads over HTTPS (check by visiting your site and looking for the padlock icon)
• [ ] HTTP requests redirect to HTTPS automatically
• [ ] Your SSL certificate is valid and not expired
• [ ] You have monitoring in place for SSL certificate expiry (see SSL certificate monitoring guide)

Most hosting providers and platforms include free SSL certificates through Let's Encrypt. If you are not using HTTPS, enable it now.

Software updates

Keep everything updated. Most website hacks exploit known vulnerabilities in outdated software. WordPress plugins, CMS core versions, server software, and PHP/Node.js versions all receive security patches regularly.

• [ ] CMS core is on the latest stable version
• [ ] All plugins and extensions are updated
• [ ] Unused plugins and themes are removed (not just deactivated)
• [ ] Server-side software (PHP, Node.js, database) is on a supported version
• [ ] Automatic updates are enabled where possible

The single most impactful security measure for WordPress sites is keeping plugins updated. Outdated plugins are the entry point for the majority of WordPress compromises.

Passwords and access control

Use strong, unique passwords for everything. Weak passwords are the easiest attack vector.

• [ ] Admin accounts use strong passwords (16+ characters, randomly generated)
• [ ] Each user has their own account (no shared logins)
• [ ] Two-factor authentication (2FA) is enabled for all admin accounts
• [ ] Default admin usernames (like "admin") have been changed
• [ ] FTP/SFTP and database passwords are strong and not reused
• [ ] Hosting control panel uses a strong password with 2FA
• [ ] Former employees and contractors have had their access revoked

Use a password manager. Do not store passwords in spreadsheets, text files, or email.

Backups

Maintain regular backups that you have tested. A backup you have never tested restoring is not a backup you can rely on.

• [ ] Automated backups run daily (at minimum)
• [ ] Backups include both files and the database
• [ ] Backups are stored off-site (not on the same server as the website)
• [ ] You have tested restoring from a backup at least once
• [ ] Backup retention covers at least 30 days
• [ ] Backup restoration is documented (someone besides you knows how to do it)

See website backup strategy for detailed guidance.

Forms and user input

Sanitize all user input. Forms, search boxes, and any place users can enter data are potential attack vectors.

• [ ] Form submissions are validated on both client and server side
• [ ] Contact forms use CAPTCHA or honeypot fields to reduce spam and bot submissions
• [ ] File uploads (if any) restrict accepted file types and scan for malware
• [ ] Login forms implement rate limiting (lock out after repeated failed attempts)
• [ ] Search functionality does not expose raw database queries

If you use a CMS like WordPress, your plugins should handle input sanitization. But verify that your contact form, search, and login pages are not vulnerable.

Admin area protection

Restrict access to your admin interface.

• [ ] Admin login URL is not the default (for WordPress, consider changing /wp-admin/ with a security plugin)
• [ ] Admin area is protected by 2FA
• [ ] Admin sessions time out after a period of inactivity
• [ ] Login attempts are rate-limited (brute force protection)
• [ ] Admin access is restricted by IP if possible (for sites managed by a small team)

Security headers

Set HTTP security headers. These headers tell browsers how to handle your content securely.

• [ ] Strict-Transport-Security (HSTS) -- Forces HTTPS connections
• [ ] X-Content-Type-Options: nosniff -- Prevents MIME type sniffing
• [ ] X-Frame-Options: DENY or SAMEORIGIN -- Prevents clickjacking
• [ ] Content-Security-Policy -- Controls which resources can load on your pages
• [ ] Referrer-Policy -- Controls how much referrer information is shared

You can check your headers at securityheaders.com. If you are not sure how to set them, most CDNs (Cloudflare, Fastly) and web server configurations support them.

Domain and DNS security

Protect your domain registration and DNS.

• [ ] Domain registrar account uses a strong password and 2FA
• [ ] Domain auto-renewal is enabled
• [ ] Domain transfer lock is enabled (prevents unauthorized transfers)
• [ ] DNS records are reviewed periodically for unauthorized changes
• [ ] You have monitoring for domain expiry (see domain expiry monitoring guide)
• [ ] You have monitoring for DNS changes (see DNS monitoring explained)

Losing your domain is one of the most damaging things that can happen to a website. If your domain expires and someone else registers it, you lose your entire web presence.

Monitoring and scanning

Actively monitor for security issues.

• [ ] Uptime monitoring is configured (to detect defacement or server compromise that takes the site down)
• [ ] Google Search Console is set up (Google alerts you to security issues and malware)
• [ ] A malware scanning service checks your site regularly
• [ ] You monitor Google Safe Browsing status (search https://transparencyreport.google.com/safe-browsing/search?url=yourdomain.com)
• [ ] Server access logs are reviewed for suspicious activity
• [ ] File integrity monitoring alerts you to unauthorized file changes

See website security monitoring guide and how to check website safety for more.

Third-party services

Audit your third-party integrations.

• [ ] All third-party scripts (analytics, ads, chat, marketing) load over HTTPS
• [ ] You regularly review which third-party services have access to your site or data
• [ ] API keys are stored securely (not in client-side JavaScript)
• [ ] Third-party services that you no longer use have been removed
• [ ] You have a process for evaluating the security of new third-party tools before adding them

Every third-party script you add to your site is a potential attack vector. If a third-party service is compromised, their script on your site could be modified to steal user data.

After a Security Incident

If your site has been compromised:

1. Take the site offline temporarily to prevent further damage
2. Change all passwords immediately (hosting, CMS, database, FTP, DNS, email)
3. Restore from a clean backup (from before the compromise)
4. Update all software to patch the vulnerability that was exploited
5. Scan for remaining malware or backdoors
6. Review server logs to understand how the attack happened
7. Notify affected users if personal data was accessed
8. Request a security review in Google Search Console if Google flagged your site
9. Document what happened and update your security practices to prevent recurrence

For a broader incident response framework, see our incident response plan template.

Summary

Website security is mostly about consistent basics: HTTPS, updates, strong passwords, backups, monitoring, and access control. Go through this checklist, address each item, and schedule a quarterly review. Most website compromises exploit known vulnerabilities in outdated software or weak passwords. Addressing these fundamentals prevents the vast majority of attacks.