Checklist: How to perform a website safety check

8 min read
Erik Deckers

I was at a cybersecurity summit in 2015, listening to industry professionals and the FBI talk about all the different ways bad guys could infiltrate a company's network, steal their data, wreck their business, use their website for nefarious purposes, and bring their world crashing down around their ears. Now, there’s a good reason for a website safety check.

It wasn’t a fun and delightful way to spend a fall afternoon, I can tell you. But then they topped their sundae of delight with this little cherry of goodness: "It's not a question of if your website gets hacked, it's a question of when."

Yeah, thanks for that. I’ll go ahead and stress about this for the next three weeks and wish I had chosen to become a gym teacher.

Nothing is more effective at frightening someone into action than a worst-case scenario. I took steps to protect my company's website. I educated myself on how to check website security and learned how to do my own website safety check in order to keep my and my clients' sites relatively safe from "bad actors," as the FBI called them.

10 action items for a website safety check

Based on my knowledge and research, I put together this checklist you can follow to perform a basic website safety check — and reduce the odds that your own sites fall prey to the bad guys' nastiness.

  1. Enable HTTPS.

  2. Update plugins and other software.

  3. Remove unnecessary plugins.

  4. Keep backups.

  5. Monitor file integrity.

  6. Protect against brute-force attacks.

  7. Change your username.

  8. Auto-generate passwords.

  9. Scan DNS and WHOIS.

  10. Run online website safety check

Let’s get started.

1. Make sure you have the https:// protocol

That's the S in https. It's the Secure Socket Layer, which encrypts traffic between a user's browser and your website. This has become so important, Google is now factoring the existence of an SSL into its SEO formula — and starting to flag any website that isn't using https as potentially unsafe. Stay ahead of this development by picking up an SSL certificate for your site.

2. Update all software, including plugins

If you're running a website on,, or a website builder like GoDaddy's Website Builder, you don't have to worry about this part of your website safety check. But if you self-host a website on your own server, or even a third-party web host, you are responsible for your own updates to check website safety.

That means keeping content management software like WordPress updated, as well as any plugins you’re using. Many plugin updates are available to fix vulnerabilities hackers might exploit, so by using older versions of plugins, you're leaving yourself open to malicious attacks.

3. Remove unnecessary plugins

Delete any and all plugins you're not using, especially if the creators haven't updated them for several months. The risk is that a bad actor (there's that term again) will buy an out-of-date plugin, update it, and add their own piece of malicious code. Then, when you do update your plugin, you've got the new and compromised version on your site, which gives the hacker a secret backdoor into your server. If you’re trying to check website security, this can leave you pulling out your hair.

Website Safety Check Delete Plugins Dumpster
Outdated plugins? Trash ‘em.

4. Keep backups of everything

I've heard horror stories where entire websites have been devastated by a malicious so-and-so who wanted nothing more than to destroy a company's hard work. Years and years of blog posts and content can get lost to data destruction or injected malicious code. But this can be avoided if you just keep regular backups of your website, hosted in a separate third-party location — that’s not on your website's server.

Work with a separate backup service provider and keep all web data, company data, and financials safely and securely away from your website, in case something goes wrong.

For larger companies, it doesn't hurt to have two completely separate backups from two completely different providers, in case one of them fails. Check out this article for a deeper dive into the topic of backups.

5. Monitor file integrity

Pay attention to extra files you post on your website and include them in your website safety check. Image files — as well as Excel and Word documents, and even PDFs — can be corrupted by cybercrooks. Use a malware checker like GoDaddy Website Security, powered by Sucuri to establish a baseline for your files' status, which is then compared to future scans to check website security.

6. Protect yourself against brute-force attacks

This is the image we all have of hackers, bad guys trying to guess our usernames and passwords, or using software to just hammer away on that login box hundreds of times per second. This can be thwarted in a couple of ways:

  • First, use complex passwords, preferably with random letters and numbers, or better yet, a string of random words.
  • Second, if you're a WordPress user, use plugins like Limit Login Attempts to block brute-force attacks and ban IP addresses that are the source of them.

7. Change your username

Whenever I get a brute-force attack report, which happens about once a week, invariably the hackers are trying to break into the admin account. So any time I set up a new website, I always create a different name for the admin account and then delete the user Admin. That way, if anyone tries to access that particular name, they'll never get in, no matter what.

8. Auto-generate your passwords

Speaking of brute-force attacks, you can greatly reduce their odds of success by using extremely complex passwords. Don't try to come up with your own clever password:

I know! I'll use my son's middle name and the year of his birth! No one will ever think of Avery2004.

Get a password vault like 1Password or LastPass, and use their feature that auto-generates passwords to create nearly-unbreakable security. They'll create passwords that string together several words, making them nearly impossible to crack.

Website Safety Check LastPass

One password calculator, Haystack, says a particular passphrase could take “1.82 thousand trillion trillion trillion trillion centuries" to break, so I think I'm good. (I'm only planning to live 1.82 thousand trillion centuries.)

9. Scan your DNS and WHOIS

I knew a guy whose domain name was stolen because the hacker had reverse engineered his email address, and then used the Forgot My Password feature on his domain registrar. It was three weeks before my friend ever realized his domain name had been stolen, and it took another two weeks to get it back.

Monitor your DNS and WHOIS listings, whether you check it manually once a week, or get a plugin that does the job. The Sucuri security plugin, for one, will keep track of this information for you. (Sucuri provides a lot of great web security with a single program, so I'm going to keep mentioning them. I think they should give me a hat or something.) But it also helps to have two-factor authentication turned on for your email and social networks.

10. Run an online website safety check

There are several malware checkers for websites, including a few WordPress plugins. I use Sucuri (there they are again) for this function, but there are other websites that will scan your site. Sucuri is free, and it will give you a basic report of your website's security after each scan. There is also a paid version to get more functionality and features.

With other sites, avoid any random popup boxes you encounter that offer to scan your hard drive for you! That's probably malware.

There are literally dozens, if not hundreds, of things you need to do to protect your website from hackers. Many of these are built into web hosts and web software, like Web Hosting from GoDaddy. But if you're a real do-it-yourselfer, and you've got your own web server, and you’re building the website from scratch, you're going to need a professional web developer and security specialist to check website security.

Regardless, there are some basic steps to check website safety that everyone should follow, regardless of where your website is hosted, or the kind of web software you're using.

In short, if you've got a website that sits on a server somewhere, you're prone to being attacked by hackers, cybercriminals, and ne'er-do-wells. The likelihood of them gaining access to your website and its precious data depends on you, so either take these steps yourself or work with a cybersecurity professional to keep your data safe.