Website Security Self-Check for Business Owners
You don't need to be technical to ask the right questions about your website. Work through this self-check — anything you can't answer is a question for your developer or host, and a gap worth closing.
Ownership and recovery
- You know where your domain name is registered and can log in to that account
- You know who hosts the website and have your own access (not only via your developer)
- You could regain full control of the site if your developer disappeared tomorrow
- Domain and hosting renewals are paid from your accounts, with reminders on
Basic hygiene
- The site loads over HTTPS and the padlock shows on every page
- The CMS (e.g. WordPress) and plugins are updated on a schedule, not 'when someone remembers'
- Unused plugins and themes are removed, not just deactivated
- Admin login uses a strong unique password and MFA where supported
- The admin login page is not linked publicly and ideally not at a default path
Forms and enquiries
- You know exactly where contact form submissions go and who monitors that inbox
- A test enquiry submitted this month actually arrived
- Forms have spam protection
- You only collect the personal information you actually need
Backups
- Site backups run automatically and are stored separately from the hosting account
- Someone has tested restoring a backup in the last 12 months
- You know how long a restore would take and who would do it
General guidance only, drawn from practical experience and aligned with public Australian guidance from the ASD's Australian Cyber Security Centre (cyber.gov.au) and ACCC Scamwatch (scamwatch.gov.au). Check those sources for current official advice. This guide is not legal advice.