Skip to content

How to check if your website is secure

You do not need a penetration test to catch the security problems most small-business sites actually have. These six checks cover the public signals attackers - and customers - can see.

1. HTTPS everywhere, not just the homepage

Every page should load over https:// and every http:// address should redirect to it. A padlock on the homepage means little if a checkout or contact page slips back to http. Mixed content - a secure page loading insecure images or scripts - also breaks the padlock and browser trust.

2. Security headers

HTTP security headers tell browsers how to protect your visitors: HSTS forces HTTPS, a Content Security Policy limits what scripts can run, and X-Frame-Options stops your site being framed inside someone else’s page for clickjacking. Most sites ship with none of them because nothing visibly breaks - until it does.

3. Email authentication: SPF, DKIM, DMARC

These three DNS records prove email claiming to be from your domain really is. Without DMARC in particular, anyone can send invoices as you - a common small-business fraud. They also decide whether your legitimate email lands in inboxes or spam. This is one of the highest-value fixes on this list and costs nothing but DNS edits.

4. Exposed software versions

If your site announces WordPress 6.2 or an old plugin version in its page source, attackers can match it against public vulnerability databases in seconds. Keep platforms updated and suppress version strings where the platform allows it.

5. Malware and blocklist status

Google Safe Browsing flags sites serving malware or phishing - and being flagged removes you from search and triggers browser warnings. You can check any site at transparencyreport.google.com, and it is worth confirming your own site is clean rather than assuming.

6. Or check all of it at once

The AuditHQ security suite runs these checks and more in one pass - SSL/TLS configuration, headers, SPF/DKIM/DMARC via live DNS lookups, CMS exposure, Safe Browsing status, and known CVEs from the NIST database - and explains each finding in plain English with the fix. The free quick scan samples it in about 60 seconds.

Frequently asked questions

Is this the same as a penetration test?

No. A penetration test actively attempts to break in and is priced accordingly. These are passive checks of publicly visible security signals - the layer where most small-business risk actually sits, and the right place to start before spending on a pentest.

My site has a padlock - is it secure?

The padlock only means the connection is encrypted. It says nothing about security headers, email spoofing protection, outdated software, or malware status. Encryption is necessary but nowhere near sufficient.

How often should I check website security?

Quarterly at minimum, and after any platform change, plugin install, or developer handover. Certificates expire, DNS records get edited, and updates lapse - security posture drifts even when nobody touches the site.