Website Security Checklist: 15 Things Every UK Small Business Should Check

Most small business websites have at least a few security issues. Not because the owners are careless, but because nobody told them what to check. This checklist covers the 15 most common problems we find during security audits, along with what to do about each one.

If you want an automated check of all 15 items (and more), PulseShield scans your website and delivers a professional report in minutes.

1. Valid SSL certificateYour site must load over HTTPS with a valid certificate. Check that the certificate has not expired, covers the correct domain (including www), and is issued by a trusted authority. Mixed content warnings (HTTP resources on an HTTPS page) also need fixing.
2. HTTP Strict Transport Security (HSTS)The HSTS header tells browsers to always use HTTPS, preventing downgrade attacks. Without it, a man-in-the-middle can intercept the initial HTTP request before the redirect to HTTPS happens.
3. X-Frame-Options headerThis header prevents your site from being loaded in an iframe on another domain. Without it, attackers can use clickjacking to trick users into clicking hidden elements on your page.
4. X-Content-Type-Options headerSet to nosniff, this header stops browsers from guessing (MIME-sniffing) file types. Without it, a browser might execute an uploaded file as a script when it was supposed to be treated as plain text.
5. Content-Security-Policy headerCSP controls which sources your site is allowed to load scripts, styles, and images from. It is one of the most effective defences against cross-site scripting (XSS) attacks. Even a basic CSP is better than none.
6. X-XSS-Protection headerWhile largely superseded by CSP in modern browsers, this header still provides a safety net for older browsers. Set it to 1; mode=block to enable the browser's built-in XSS filter.
7. Cookie consent complianceNon-essential cookies must not be set before the user gives informed consent. Check that your consent banner appears before any analytics, tracking, or advertising cookies load. The ICO is actively enforcing this. See our ICO cookie consent fines guide for details.
8. Secure cookie flagsSession cookies should have the Secure flag (only sent over HTTPS) and the HttpOnly flag (not accessible via JavaScript). The SameSite attribute should be set to Lax or Strict to prevent cross-site request forgery.
9. SPF recordAn SPF record in your DNS tells receiving mail servers which servers are authorised to send email from your domain. Without it, anyone can impersonate your domain in phishing emails. See our SPF, DKIM, and DMARC guide.
10. DKIM and DMARC recordsDKIM signs your outgoing emails cryptographically. DMARC tells receivers what to do when SPF or DKIM fails. Together with SPF, these three records form your email authentication foundation.
11. Unnecessary open portsEvery open port is a potential entry point. Common mistakes include leaving database ports (3306, 5432) exposed to the internet, having SSH (22) open with password authentication, or running development servers on public IPs. Close anything you do not need.
12. Exposed sensitive filesCheck that files like .env, wp-config.php, config.yml, database dumps, and backup archives are not accessible via the web. Also check for exposed admin panels, phpMyAdmin installations, and debug endpoints.
13. Directory listing disabledIf directory listing is enabled, visitors can browse your file structure and see every file on your server. Disable it in your web server configuration.
14. Regular backups with tested restorationBackups that have never been tested are not reliable backups. Set up automated backups, store them off-site, and periodically verify that you can restore from them. Know your recovery time objective.
15. Software and plugin updatesOutdated content management systems, plugins, and server software are the most common way websites get compromised. Set up automatic updates where possible, and check monthly for anything that requires manual updating.

How to check all of this without doing it manually

Going through this list manually would take hours for each website, and you would need to know what to look for in each case. That is exactly why we built PulseShield. A single automated scan checks your SSL configuration, all critical security headers, cookie compliance, email authentication records, open ports, exposed files, and more.

You get a professional PDF report categorised by severity, with specific remediation steps for each finding. It takes about five minutes. See our pricing page for one-off audits from £29, or get in touch for continuous monitoring options.