Can I really do all of this myself?

Yes — 7 or 8 steps take about an hour. The tricky ones (WAF, security headers) can lean on your hosting support or us.

How long does the full checklist take?

With focus, one weekend is enough. Do backups and 2FA on day one.

Free Resource

10-Step Website Security Checklist

A practical checklist for every small business owner. Knock it out in one weekend — and walk away safe from 90% of common attacks.

HTTPS / SSL is enabled

Look for the lock icon in the URL bar. Let's Encrypt provides SSL for free.

Admin password is strong (16+ characters)

Use a password manager. 'admin123' — never.

2FA is ON for admin login

Two minutes to set up with Google Authenticator or a WordPress plugin.

WordPress / CMS is on the latest version

Enable auto-updates. Outdated versions are the #1 entry point for attackers.

Unused plugins / apps are deleted

Don't just deactivate — delete. The code stays on your site otherwise.

Daily automated backups are set up

Use UpdraftPlus (WP) or your host's backup. Store off-site (Drive / Dropbox).

Login attempts are rate-limited

Block brute-force bots after 3–5 failed attempts.

Cloudflare or a WAF is in front

Cloudflare's free plan gives baseline DDoS and bot protection.

Security headers are set

HSTS, X-Frame-Options, Content-Security-Policy at minimum.

A monthly security scan is scheduled

Start with a free scan — at least once a month.

Rather not do it yourself?

Our free scan tells you exactly which of these 10 steps are incomplete on your site — and which one to fix first.

Run a Free Scan

FAQs

Any small business website owner — WordPress, Shopify, or a custom site. The steps are universal.

Free · 2 minutes · No signup

Not sure if your website is safe?

Run a free 2-minute check — no credit card needed. We tell you what's broken and exactly how to fix it.

Scan My Site Free