Is this a substitute for a penetration test?

No. A pen test simulates an active attacker - login bypass attempts, authenticated endpoint probing, business-logic exploitation. This audit covers the publicly observable surface only. Both are valuable; this one is what you do before paying for a pen test.

Does HTTPS-only matter if I'm not handling payment?

Yes. Modern browsers actively mark non-HTTPS sites as 'Not Secure' - visitors see a warning. HTTPS is a confirmed Google ranking signal and required for HTTP/2 and HTTP/3.

How often should I re-run a security audit?

Quarterly is reasonable for an unchanged site. Monthly if you ship new code or third-party integrations. After any CMS, theme, or plugin update.

What's the single biggest security win for SMBs?

DMARC p=reject. Stops anyone from spoofing your domain in email, which is the #1 vector for phishing your customers and staff. Free to set up.

My hosting provider says they handle security. Do I still need to audit?

Yes - they handle the server. They do not handle your application config, third-party scripts, DMARC policy, or CMS version.

How to audit a website for security (2026 guide + free checklist)

The 9 public-signal security checks any team can run from outside the firewall - HSTS preload, modern security headers, SPF/DMARC/DKIM, DNS hygiene (DNSSEC/CAA/MTA-STS/TLS-RPT), cookie security, information exposure, SRI on third-party scripts, CMS CVE exposure, and security.txt.