# Website Security Checklist *Technical aid for website operators — not legal advice, not a data protection audit, not a certification.* --- ## 1. Website Inventory - [ ] CMS system and version documented (WordPress, Drupal, Typo3, etc.) - [ ] All active plugins/extensions listed - [ ] All active themes/templates listed - [ ] Unused plugins/themes deactivated and removed - [ ] All active forms identified (contact, booking, newsletter, etc.) - [ ] Payment integrations documented - [ ] Analytics tools documented (Google Analytics, Matomo, etc.) - [ ] Cookie consent tool identified and version noted - [ ] All external services listed (fonts, maps, videos, chat, etc.) ## 2. Hosting and DNS - [ ] Hosting provider and plan documented - [ ] Domain registrar documented - [ ] DNS records reviewed (A, CNAME, MX, TXT) - [ ] SPF/DKIM/DMARC records for email present - [ ] Nameserver configuration known ## 3. TLS/HTTPS and Security Headers - [ ] HTTPS enforced on all pages - [ ] TLS version at least 1.2 - [ ] HSTS header active - [ ] Content-Security-Policy (CSP) reviewed - [ ] X-Frame-Options set - [ ] X-Content-Type-Options set - [ ] Referrer-Policy set - [ ] Permissions-Policy reviewed ## 4. Updates and Dependency Hygiene - [ ] CMS core version current - [ ] All plugins current - [ ] All themes current - [ ] Update rhythm defined (who, when, how) - [ ] Test process for updates documented - [ ] External dependencies (CDN, APIs) checked for currency - [ ] Outdated components identified and replacement planned ## 5. Backups and Restore - [ ] Backup rhythm defined (daily/weekly) - [ ] Backup storage location documented (local, cloud, separate) - [ ] Backup retention policy defined - [ ] Restore tested within the last 6 months - [ ] Responsible person for backups named ## 6. Forms, Uploads, and Spam Protection - [ ] All forms tested for functionality - [ ] Spam protection active (CAPTCHA, honeypot, etc.) - [ ] File uploads restricted to allowed formats - [ ] Upload sizes limited - [ ] Upload directory not publicly listable - [ ] Form submission encrypted ## 7. Admin Access and Authentication - [ ] Admin URL non-standard (e.g., not /wp-admin) - [ ] Strong password policy enforced - [ ] Multi-factor authentication (MFA/2FA) active - [ ] User roles assigned minimally (principle of least privilege) - [ ] Inactive user accounts disabled or deleted - [ ] Login attempts limited (brute-force protection) - [ ] Last access review performed ## 8. Logging, Monitoring, and Incident Management - [ ] Access logs enabled - [ ] Error logs enabled - [ ] Log retention period defined - [ ] Uptime monitoring active - [ ] Alerting on outage configured - [ ] Incident contact path documented (who gets alerted for problems) - [ ] Security reporting email or contact address present ## 9. Privacy-Adjacent Technical Checks - [ ] Cookie banner technically reviewed (do scripts load before consent?) - [ ] Tracking scripts checked for correct execution order - [ ] External fonts self-hosted or consciously used - [ ] Embeds (maps, videos, social media) reviewed for privacy - [ ] Third-party scripts reviewed for necessity - [ ] Privacy policy covers all actually used services - [ ] Opt-out mechanisms functional ## 10. AI Tools and Data Handling - [ ] AI services on the website identified (chatbot, content gen, etc.) - [ ] Prompt data flows documented (what gets sent to AI services) - [ ] Usage notes for AI-generated content present - [ ] Internal AI use by staff documented - [ ] Contractual basis with AI providers reviewed ## 11. Documentation and Responsibility - [ ] Responsible person for website technology named - [ ] Last review date documented - [ ] Changes since last review listed - [ ] Documentation location known (wiki, drive, docs/) - [ ] Emergency contact for hosting/domain/developer current - [ ] Knowledge about website setup is not concentrated on one person --- *This checklist is provided by Website-Pflichtencheck. It is a technical aid and does not replace legal advice, a data protection audit, or a security certification. For legal questions, consult a lawyer or data protection officer.* **Website-Pflichtencheck** — Technical clarity for your website. https://website-pflichtencheck.de