Website security can feel overwhelming. This checklist breaks it down into 20 actionable steps to systematically harden your defenses.

Foundational Security

✅ 1. Use HTTPS Everywhere - Encrypt all traffic, not just login pages

✅ 2. Implement Security Headers - HSTS, CSP, X-Frame-Options, etc.

✅ 3. Keep Software Updated - CMS, plugins, server software

✅ 4. Use a Web Application Firewall - Filter malicious traffic

Access Control

✅ 5. Enforce Strong Passwords - Require complexity and length

✅ 6. Enable Two-Factor Authentication - Especially for admins

✅ 7. Implement Account Lockout - Prevent brute force attacks

✅ 8. Use Least Privilege Principle - Minimal permissions needed

✅ 9. Change Default Credentials - Never use "admin/admin"

✅ 10. Sanitize All User Input - Prevent injection attacks

✅ 11. Use Parameterized Queries - Prevent SQL injection

✅ 12. Secure Your Cookies - HttpOnly, Secure, SameSite

✅ 13. Protect Against CSRF - Anti-CSRF tokens

✅ 14. Choose Secure Hosting - Reputable provider with security features

✅ 15. Set Proper File Permissions - 755 for directories, 644 for files

✅ 16. Disable Directory Listing - Don't expose file structure

✅ 17. Regular Backups - Automated, off-site, tested

✅ 18. Security Logging - Monitor for suspicious activity

✅ 19. Regular Security Scans - Proactive vulnerability detection

✅ 20. Incident Response Plan - Know what to do when breached

Use Cavarette's free scanner to check how many items on this list your website already covers.