Website Security Audit
A security audit identifies vulnerabilities that could expose your business to data breaches, malware infections, or compliance violations. It examines encryption, authentication, software versions, and data handling practices.
Security failures can destroy customer trust overnight. A data breach costs an average of three point four million pounds. GDPR fines can reach 4% of global turnover. Prevention is cheaper than cure.
What a security audit examines
SSL/TLS configuration
Certificate validity, protocol versions, cipher suites, and HTTPS enforcement.
Common issues
- Expired or misconfigured certificates
- Weak protocol versions
- Mixed content warnings
- Missing HSTS headers
Vulnerability scanning
Known vulnerabilities in CMS, plugins, libraries, and server software.
Common issues
- Outdated WordPress core
- Vulnerable plugins
- Known CVEs unpatched
- Exposed admin panels
Authentication
How users and administrators access the system.
Common issues
- Weak password policies
- No multi-factor auth
- Session management flaws
- Brute force vulnerability
Data protection
How personal data is collected, stored, and processed.
Common issues
- Unnecessary data collection
- Insecure storage
- No data retention policy
- Third-party data sharing
Server hardening
Operating system and server configuration security.
Common issues
- Default configurations
- Unnecessary services running
- Missing security patches
- Improper file permissions
Privacy compliance
GDPR, CCPA, and other regulatory requirements.
Common issues
- Missing cookie consent
- Inadequate privacy policy
- No data subject rights
- International transfer issues
Common security problems
Outdated software
Running CMS, plugins, or libraries with known vulnerabilities. Automated scanners target these constantly.
Impact: Easy target for automated attacks, potential complete site compromise.
Missing SSL/HTTPS
Sites still serving pages over HTTP or with misconfigured HTTPS.
Impact: Data interception possible, browser warnings destroy trust, SEO penalty.
Weak admin security
Default login URLs, weak passwords, no rate limiting on login attempts.
Impact: Brute force attacks can gain administrative access.
GDPR non-compliance
Missing consent mechanisms, inadequate privacy notices, or improper data handling.
Impact: Regulatory fines, customer trust erosion, legal liability.
Part of the wider Commercial Assessment
A security audit tells you what vulnerabilities exist. It does not tell you whether security is prioritised in your organisation.
- Security problems often have organisational causes: no security responsibility, no update process, developers prioritising features over security.
- Fixing vulnerabilities without fixing the security culture means new vulnerabilities will emerge with every change.
- Some security investments have higher commercial priority: securing payment processing matters more than securing a marketing microsite.
The Commercial Assessment examines security alongside five other domains: channels and reporting, attribution, sales handoff, user experience, and team capability. Security is one factor in a larger system.
Learn about Commercial AssessmentTrust is expensive to rebuild
If you suspect security vulnerabilities, that is worth understanding. But if you suspect the problem is systemic, not just technical, you need a broader assessment.