How Website-Pflichtencheck makes security processes visible
Many website risks are not caused by spectacular hacks, but by undocumented plugins, missing update routines, and unclear responsibility. Here is how Website-Pflichtencheck creates technical clarity.
The Cyber Resilience Act puts security processes for software products in the spotlight. But many web risks do not come from dramatic hacks or targeted attacks. They grow slowly: a plugin that has not been updated in eighteen months. A tracking script that loads before the consent banner. A hosting account where no one knows who actually has access.
Website-Pflichtencheck takes a different approach from classic security audits. The goal is not certification, but visibility: what is technically running on the website, which risks can be read from the configuration, and what should happen next?
Why most website risks are boring — and that makes them dangerous
Typical findings that become visible during a check:
- Undocumented plugins and themes: Especially with WordPress, often ten to fifty extensions are active. Some are no longer maintained. Some were already redundant two years ago.
- Missing update routines: No rhythm, no owner, no test process. Updates are postponed until something breaks — or not noticed at all.
- Unclear responsibilities: Who handles backups? Who checks whether forms still work? Who notices when an external script suddenly loads from a different domain?
- Drift in tracking and cookies: The consent banner is present, but technically third-party scripts load before consent. This is not purely a legal issue — it is a technical visibility issue.
- Forgotten dependencies: External fonts, embedded maps, video players, analytics, chat widgets. Each is a connection point that should be reviewed.
- Weak hosting baseline configuration: Missing security headers, outdated TLS versions, open directory indexing, insecure upload paths — often checkable in minutes, overlooked for months.
These risks are not spectacular. That is why they are often ignored. Until something happens.
What Website-Pflichtencheck technically reviews
The focus is on the technical risk map of a website. Not on evaluating individual legal texts, not on certification, not on guaranteeing that a website is "secure".
Areas reviewed include:
- Inventory: CMS, plugins, themes, active modules, external services
- Hosting and DNS: Baseline configuration, TLS/HTTPS, security headers, DNS records
- Updates and hygiene: Detectable outdated components, missing update paths
- Forms and uploads: Functionality, spam protection, file upload risks
- Tracking and third parties: External scripts, cookie behavior, consent technical implementation
- Performance signals: Image sizes, load times, mobile rendering — as risk indicators, not ranking guarantees
- Access and roles: Admin paths, visible authentication risks
- AI tools and data inputs: Where are AI services embedded, what data flows where?
The result is a prioritized action list: what is urgent, what is relevant in the medium term, what can be monitored.
The difference between a technical check and security certification
Website-Pflichtencheck is not a penetration test. Not an ISO 27001 audit. Not legal advice.
The difference lies in the scope:
| Website-Pflichtencheck | Full Security Audit | |
|---|---|---|
| Goal | Make risks visible | Thoroughly evaluate gaps |
| Depth | Technical surface and configuration | Infrastructure, code, processes |
| Result | Prioritized recommendations | Detailed report with evidence |
| Duration | Days | Weeks to months |
| Cost | Fixed price, manageable | Project price, significantly higher |
| Legal status | Not legal advice | May include compliance-relevant assessment |
Both have their place. Website-Pflichtencheck is the pragmatic first step for businesses that want to know where they stand — without immediately committing to a six-month project.
Practical example: what a check typically finds
A typical result might look like this:
| Finding | Risk | Recommendation |
|---|---|---|
| External font service detected | medium | Self-host or review |
| Security headers missing | medium | Add headers |
| Tracking signal before consent | high | Check script order |
| Images too large | low/medium | WebP + lazy loading |
| Plugin not updated for 18 months | medium | Check update or replacement |
| Backup rhythm unclear | medium | Document process |
This table is not a theoretical example. It reflects what an actual check produces: a mix of quick improvements and structural points that should be assigned to someone in the organization.
Download: Website Security Checklist
As a practical supplement, there is a free security checklist available for download. It covers the most important technical checkpoints and can be used internally or handed to service providers.
Download Website Security Checklist
The checklist covers:
- Website inventory: CMS, plugins, themes, forms, payment, analytics, cookie tools
- Hosting and DNS basics
- TLS/HTTPS and security headers
- Updates and dependency hygiene
- Backups and restore tests
- Forms, uploads, and spam protection
- Admin access, roles, MFA, password hygiene
- Logging, monitoring, and incident contact path
- Privacy-adjacent technical checks: cookies, tracking, third-party scripts
- AI tools and prompt/data handling where applicable
- Documentation: who owns what, when was it last checked, what changed?
Note: This checklist is a technical aid and does not replace legal advice, a data protection audit, or a security certification.
Conclusion
The Cyber Resilience Act makes clear that security processes must be documented and repeatable. For many businesses with websites, the first step is not a million-euro compliance project, but the simple question: What is running on our website, and who is responsible for it?
Website-Pflichtencheck answers this question technically, pragmatically, and without alarmism. The goal is clarity. Nothing more, but nothing less either.
Note: This article is a technical overview and does not constitute legal advice.