Security checklist

A tool to help you to
get started with websecurity

Go to the menu-list
img alttext

An active security-policy

Having a website online is something that should keep you very busy if you do it right. I mean: uploading a website to a domain is only just step 1, after that a lot of things should be taken care of.

The internet is changing rapidly, especially where security is concerned. All the time new vulnerabilities arise and new malware or malicious online activities are being discovered and: some website that's safe today, can be hacked tomorrow.

Diving into security is a lot of work and there is very much to be found online; that might be quite overwhelming.

Exclamation mark!

Maybe the list(s) below can help you on your way
in the process of securing your website.

Not an advertisement, but looks like it

(Not an advertisement) 

Checklist of "things to do":


Configuration and prevention

  • Know Your Web Server Configuration Files
  • Use a secure webhost and preferably no shared hosting-account
  • Use HTTP/2: it will give your website an advantage in both speed and security
  • Set up SSH/SFTP: use a safe protocol to transfer files to and from your website
  • Don't store FTP-passwords in FTP-clients
  • Limit the FTP access to specific IP addresses
  • Use encryption when you have to connect through unsecure FTP
  • Use an SSL-certificate to serve HTTPS
  • Deploy a web-application firewall
  • Leverage content delivery networks
  • Keep Software And Plugins Up-To-Date
  • Change all default passwords that were provided by default
  • Choose smart and strong passwords and change them frequently (collegues too)
  • Follow two-step authentication
  • Use password-protection for restricted files and folders
  • Disable directory indexing
  • Replace unsupported operating systems, applications, and hardware
  • Secure your hardware (password access, disable hardware-ports etc.)
  • Block access to forbidden files and folders
  • Block brute force and DDos attacks
  • Block potentially malicious visitors (hostnames, IP-numbers etc.) server-side
  • Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections.
  • Implement a Content Security Policy (CSP)
  • Limit access: ensure that users can access only the systems and functions they need to have access to
  • Configure website caching to optimize resource availability (this hardens your website against a high load of requests)
  • Backup regularly and keep your backups in another place than your device or network
  • Remove all files and directories that don't have to be on your server (anymore)
  • Set up a disaster recovery scenario

Development and maintenance of the source-code   

  • Stay well informed: regularly visit websources to look out for new vulnerabilities and threats
  • Follow ISO 27018 standards
  • Maintain cookie-information and publish a privacy policy
  • Sign up for Google search console and Bing webmastertools
  • automatic lockout: maximize the number of incorrect log-ins that are allowed to an account
  • Write webstandards valid source code
  • Validate and evaluate source code and user-input
  • Validate and evaluate URL-headers and queries send to the server and the database (learn about injection-attacks)
  • Utilize reliable forms for online payments
  • Disable weak cyphers (SSLv2, SSlv3, 3DES, RC4)
  • Use robots.txt to tell crawlers what to index and what not
  • Do not try to fool search-engine crawlers (avoid manual actions that could lead to blacklisting your domain)
  • Check outgoing links (are they still pointing to safe destinations?)
  • Prevent spamming (use plugins and/or tools)
  • Use CAPTCHA and spam filter plug-ins
  • Be critical about any third-party include on your website

Control and react   

  • Use scanners to find vulnerabilities
  • Use a website monitoring tool
  • In a company: record user-access and privileges
  • Monitor certificate transparency logs
  • Regularly check access logs and error logs stored by your server and take immediate actions where needed
  • Test access-blocks, redirects, rewrites etc. with another ip-number (like using a VPN or VPN-supported browser)
  • Add a security.txt file to the .well-known folder in your root
  • Hire a security expert

Social (and other) things: