← back to blog
3 min read
  • #security
  • #audit
  • #small-business
  • #web

What a security audit looks like for a small site

The exact five things I check on every small business site: headers, forms, admin panels, old software, and leaked keys. Plus what a finding looks like in plain words.


Most small business sites have never been looked at by anyone thinking like an attacker. The owner paid for the site once, maybe years ago, and it has been quietly running ever since. Nobody knows if it is fine, because nobody has checked.

I run a basic security pass as part of every site audit I do for local businesses around Heber City and Park City. This post is exactly what I check, what a finding looks like when I write one up, and where my checks stop.

The five things I check on every site

Security headers. This is first because it takes two minutes and tells me a lot. I run curl -I against the homepage and drop the domain into securityheaders.com. I am looking for Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options or frame-ancestors. Missing headers do not mean you are hacked. They mean whoever built the site never thought about this layer, and that usually predicts everything else I find.

Form abuse. Contact forms and quote forms are the front door for spam and worse. I check three things: is there any rate limiting or bot protection, does the form submit over HTTPS, and does anything a visitor types get echoed back to the page without being escaped. A landscaper's quote form with none of these turns into a spam pipe within a few months, and the owner quietly stops trusting their own inbox.

Exposed admin panels. I try the common paths: /wp-admin, /wp-login.php, /admin, /phpmyadmin. Then I search Google with site:yourdomain.com to see what got indexed. A reachable login page is not automatically a problem. A login page with no lockout, no 2FA, and a WordPress version string from 2021 printed in the page source is. Bots find these pages within days of a site going live. They do not need to be told where to look.

Outdated dependencies. I fingerprint the stack with browser dev tools and a Wappalyzer pass. Old jQuery from 2015, WordPress plugins several major versions behind, a PHP version in the response headers that stopped getting security patches. On JavaScript builds I run npm audit. Old software is the single most common thing I find, because nobody's job is to update a finished site.

Leaked keys and files. I check whether /.git or /.env is reachable from a browser, look for backup files like site.zip or backup.sql sitting in the web root, and read the JavaScript bundles for API keys. Some keys are fine in public, like a Stripe publishable key. An unrestricted Google Maps key is a billing problem waiting to happen. A secret key in a bundle is an emergency.

What a finding actually looks like

I write findings for the owner, not for another engineer. No CVSS scores, no jargon dump. Each one is four lines:

  • Finding: your site does not send a Strict-Transport-Security header.
  • Why it matters: a browser on coffee shop wifi can be tricked into loading your site over plain HTTP, where the connection can be read or changed.
  • Fix: one line in your hosting config. Most hosts have a checkbox for it.
  • Effort: about 15 minutes.

That is the whole format. What it is, why you should care in plain words, how to fix it, and how long the fix takes. I rank the findings worst first and cap the audit at three, so it gets read instead of filed.

Where my checks stop

Honesty about scope matters more in security than anywhere else. This is not a penetration test. I do not exploit anything, I do not guess passwords against your live login, and I do not test how your site holds up under load. I am studying for Security+ SY0-701 and eJPT right now, not certified in either yet, so I stay inside what I can verify: configuration, exposure, and hygiene. If you process card data on your own servers or store anything medical, you need a certified firm and a real assessment, and I will tell you that directly.

The other limit worth stating: passing all five checks does not mean your site is secure. It means the obvious doors are closed. That is still worth a lot, because the obvious doors are the ones bots try first, thousands of times a day, on every small site including yours.

If you run a local business and have no idea when anyone last looked at your site this way, that is normal, and it is fixable fast. I do a free 24-hour audit, three real findings, yours to keep either way.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.