Website Security Checklist — Free Audit Tool

Audit your website against 20+ security best practices in 60 seconds — HTTPS, security headers, cookies, GDPR consent, accessibility. Free, instant results.

A practical website security checklist covering HTTPS, DMARC, MFA, backups, and NIS2 compliance. For Irish SME owners and IT managers — plain English, actionable steps.

A dual-audience checklist covering the technical controls that tools like the Digital Trust Mark test — and the business-level controls they do not. Use it to assess where you stand and prioritise what to fix first.

Each check is graded: Quick Win (do this week), This Month (schedule it), or Plan Ahead (requires expertise).

Part 1 — Technical Controls: Website & Email Configuration

These are the controls that automated tools like the Digital Trust Mark assess. They are configuration tasks — most can be completed without specialist expertise and have an immediate impact on your security posture.

Email Authentication

Prevent attackers from sending emails that appear to come from your domain.

  • SPF record configured with -all (hard fail)
  • DKIM signing enabled on every outgoing email
  • DMARC policy published — start with p=quarantine, then move to p=reject
  • DMARC aggregate reports reviewed monthly

DNS & Domain Security

Protect your domain from hijacking, spoofing, and fraudulent certificates.

  • CAA record published to restrict certificate issuance
  • DNSSEC enabled to prevent DNS cache poisoning attacks
  • Domain registrar account secured with MFA
  • Domain auto-renewal enabled with current payment details

HTTPS & TLS Configuration

Ensure all data between your website and visitors is encrypted.

  • HTTPS enabled on all pages
  • HTTP redirects to HTTPS with a 301 permanent redirect
  • TLS 1.2 and 1.3 only (1.0 and 1.1 disabled)
  • Certificate from a trusted CA, not expired

HTTP Security Headers

Instruct browsers to apply additional protections when loading your site.

  • HSTS header present to prevent SSL stripping attacks
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN to block clickjacking
  • Referrer-Policy configured (strict-origin-when-cross-origin recommended)
  • Content Security Policy (CSP) deployed — primary defence against XSS

Part 2 — Business Controls: People, Devices & Governance

These controls address the risks that technical configuration cannot prevent — phishing, ransomware, insider threats, and regulatory non-compliance. According to Amárach research for .IE, phishing accounts for 60% of Irish cyber incidents. None of these risks appear in an automated website scan.

Staff & Access Controls

The controls that protect against phishing — the cause of 60% of Irish cyber incidents.

  • MFA enabled on all business email accounts
  • MFA enabled on cloud storage and business applications
  • Staff trained to recognise phishing emails
  • Phishing simulation run in the last 12 months
  • Leavers' accounts disabled on the day of departure
  • Principle of least privilege applied to access rights

Devices & Software

Patching and endpoint protection — the controls that stop ransomware.

  • Operating system updates applied within 14 days
  • Business software and applications kept up to date
  • Endpoint protection (antivirus/EDR) on all devices
  • Mobile Device Management (MDM) policy in place

Backup & Recovery

The controls that determine whether you survive a ransomware attack.

  • Regular backups of all critical data — the 3-2-1 rule
  • Backups tested by restoring data at least quarterly
  • Backups isolated from the main network
  • Recovery Time Objective (RTO) defined

Governance & Compliance

The organisational controls that NIS2 and regulators will look for.

  • Incident response plan documented and tested
  • NIS2 scope assessment completed
  • Cyber insurance policy in place and reviewed annually
  • Third-party and supply chain risk assessed

Want a Prioritised Action Plan?

Working through a checklist is a good start. A structured security review gives you a clear picture of where you stand across all these areas — and a prioritised, practical plan for what to fix first, based on your specific business context and risk profile.