Executive Summary
We performed a comprehensive security analysis of xtrn.nl across 6 categories. The website received an overall score of 63/100 (grade C), with 6 critical issues, 6 warnings, and 16 passed checks.
Overall assessment: xtrn.nl has significant security gaps that should be addressed as soon as possible. The current configuration leaves the website vulnerable to common attacks. We strongly recommend reviewing the critical issues listed in this report and implementing the recommended fixes without delay.
Top priority fixes:
Strong areas
Performance & SEO
Exposed Files
Needs improvement
DNS & Email Security
SSL & HTTPS
Needs work
Security Headers
Content & CMS
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Not fully — your website is missing important security protections that keep visitors safe.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Yes — your domain has email authentication records (SPF/DMARC) that prevent others from sending fake emails on your behalf.
Is my website leaking sensitive data?
Potential leaks found — some sensitive files or information may be publicly accessible to anyone.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
This website is probably trustworthy
Domain Registration (WHOIS)
Security Database Checks
Domain has been registered for 7.4 years (since 28 Oct 2018).
Could not retrieve Quad9 classification for this domain.
DNSFilter has not flagged this domain — no known threats detected.
Domain is not listed in the APWG phishing and malware database.
Malware & Virus Scan
CleanWhat is this?
URLhaus is a database maintained by abuse.ch that tracks URLs and domains used to distribute malware — exploit kits, ransomware droppers, banking trojans, and other malicious software. It is one of the most comprehensive active malware distribution blocklists.
Why does it matter?
A listing in URLhaus means this domain has been observed actively distributing malware to visitors. This could mean your website has been hacked and is serving malicious files, or that your domain was registered specifically for malware distribution.
How to fix it
1. Scan your website files for malware: - Use a hosting panel malware scanner (cPanel/Imunify360) - Use Wordfence (WordPress) or a server-side scanner like ClamAV - Check recently modified files: find /var/www -newer /tmp/ref -type f 2. Check access logs for suspicious uploads or requests 3. Change all passwords (FTP, hosting, CMS admin, database) 4. Request removal from URLhaus: Visit urlhaus.abuse.ch and submit a takedown request once your site is clean
What is this?
Cloudflare's Security DNS (1.1.1.2) is a public DNS resolver that automatically blocks domains known to distribute malware, ransomware, and phishing content. When a DNS query returns NXDOMAIN (domain not found) from the security resolver but the domain resolves normally on regular DNS, the domain is being blocked.
Why does it matter?
Being blocked by Cloudflare's security resolver means the domain has been identified as harmful by Cloudflare's threat intelligence. This actively protects millions of internet users from visiting the site, and indicates the domain has been reported or detected as malicious.
How to fix it
If your site is incorrectly blocked: 1. Check if your site has been hacked and clean any malware 2. Submit a false positive report to Cloudflare via their security portal 3. Check other threat databases (VirusTotal, URLhaus) for listings If the block is justified: 1. Clean all malware from your server 2. Change all credentials 3. Request removal from Cloudflare's threat database
What is this?
Spamhaus ZEN is a combined IP blocklist maintained by The Spamhaus Project, one of the most authoritative anti-spam and anti-malware organizations. ZEN combines SBL (spam sources), XBL (compromised/infected machines), and CBL (botnet command & control).
Why does it matter?
An IP listed in the SBL or XBL zones indicates the server has been identified as sending spam, hosting malware, or being infected by a botnet. This can cause legitimate emails from the server to be rejected by mail providers worldwide.
How to fix it
1. Check which Spamhaus list the IP is on: Visit check.spamhaus.org and enter your IP 2. If listed in SBL (spam source): - Find and remove the software or account sending spam - Check for compromised email accounts - Submit a removal request at spamhaus.org 3. If listed in XBL (compromised machine): - Your server may have malware or be part of a botnet - Run a full malware scan - Check for unauthorized processes: ps aux - Consider rebuilding the server if compromise is confirmed
Open Ports
No dangerous ports exposedWhat is this?
Port 21 is used by FTP (File Transfer Protocol), which lets you upload and download files to your server. FTP was designed in the early internet era before encryption existed.
Why does it matter?
FTP sends your username, password, and all transferred files in complete plaintext over the network. Anyone intercepting the connection — on the same network or via a man-in-the-middle attack — can read your credentials and every file you transfer.
How to fix it
Disable FTP and switch to SFTP (SSH File Transfer Protocol), which uses the same SSH encryption as terminal access: For FileZilla: connect using protocol SFTP and your SSH credentials. To disable pure FTP (Ubuntu): sudo systemctl stop vsftpd sudo systemctl disable vsftpd If FTP is absolutely required, use FTPS (FTP over TLS) instead of plain FTP.
What is this?
Port 22 is used by SSH (Secure Shell), the standard encrypted protocol for remote server access. It lets administrators log in to the server and run commands remotely.
Why does it matter?
SSH itself is secure, but an open SSH port is a constant target for brute-force attacks — bots continuously try thousands of username/password combinations. If password authentication is enabled, a weak password can lead to full server compromise.
How to fix it
Disable password authentication and use SSH keys only: Edit /etc/ssh/sshd_config: PasswordAuthentication no PubkeyAuthentication yes Then restart SSH: sudo systemctl restart sshd Optional: move SSH to a non-standard port (e.g. 2222) to reduce bot noise: Port 2222 Optional: use fail2ban to automatically block IPs with too many failed attempts: sudo apt install fail2ban
What is this?
Port 23 is used by Telnet, a very old remote access protocol from the 1960s. Like FTP, it was designed before encryption existed.
Why does it matter?
Telnet transmits everything — including your login credentials and every command you run — in complete plaintext. Anyone intercepting the connection sees exactly what you type. There is no situation where Telnet is preferable over SSH on a modern server.
How to fix it
Disable and remove Telnet: sudo systemctl stop telnet sudo systemctl disable telnet sudo apt remove telnetd # Ubuntu/Debian If port 23 is still open after removing Telnet, check what process is using it: sudo ss -tlnp | grep :23 Use SSH for all remote access. SSH provides the same functionality with full encryption.
What is this?
Port 3306 is the default port for MySQL (and MariaDB), the database server that stores your website's content, user accounts, orders, and all other data.
Why does it matter?
Exposing the MySQL port to the internet allows attackers to directly attempt to log in to your database using brute force or stolen credentials. If they succeed, they have full access to all your data without needing to compromise the website itself.
How to fix it
Block the port with a firewall (UFW on Ubuntu): sudo ufw deny 3306/tcp Or restrict to only your app server IP: sudo ufw allow from YOUR_APP_IP to any port 3306 Also bind MySQL to localhost in /etc/mysql/mysql.conf.d/mysqld.cnf: bind-address = 127.0.0.1 Then restart MySQL: sudo systemctl restart mysql For remote DB management, use an SSH tunnel instead: ssh -L 3306:127.0.0.1:3306 user@yourserver
What is this?
Port 5432 is the default port for PostgreSQL, an advanced open-source relational database. Like MySQL, it stores all application data.
Why does it matter?
A publicly reachable PostgreSQL port exposes the database directly to brute-force attacks. PostgreSQL also has a history of being exploited when authentication is misconfigured (e.g. trust authentication).
How to fix it
Block with UFW: sudo ufw deny 5432/tcp Bind PostgreSQL to localhost in /etc/postgresql/*/main/postgresql.conf: listen_addresses = 'localhost' Restart PostgreSQL: sudo systemctl restart postgresql For remote access, use an SSH tunnel: ssh -L 5432:127.0.0.1:5432 user@yourserver
What is this?
Port 6379 is the default port for Redis, an in-memory data store commonly used for caching, session storage, and queues. Redis has no authentication by default.
Why does it matter?
An exposed Redis instance is one of the most dangerous vulnerabilities a server can have. Attackers can read all cached data (including user sessions), write arbitrary data, use Redis's replication feature to write SSH keys to the server and gain root access, or abuse it for DDoS amplification.
How to fix it
Block with UFW immediately: sudo ufw deny 6379/tcp Bind Redis to localhost in /etc/redis/redis.conf: bind 127.0.0.1 Enable a strong password: requirepass YourStrongPasswordHere Restart Redis: sudo systemctl restart redis If Redis must be reachable from another server, use an SSH tunnel or VPN — never expose it directly.
What is this?
Port 27017 is the default port for MongoDB, a NoSQL document database. MongoDB stores data as JSON-like documents and is popular for modern web applications.
Why does it matter?
Hundreds of thousands of MongoDB databases have been wiped by automated attacks — attackers delete all data and leave a ransom note demanding Bitcoin. This happened because many MongoDB installations were publicly accessible with no authentication enabled.
How to fix it
Block with UFW: sudo ufw deny 27017/tcp Bind to localhost in /etc/mongod.conf: net: bindIp: 127.0.0.1 Enable authentication: security: authorization: enabled Restart MongoDB: sudo systemctl restart mongod
What is this?
Port 9200 is the default HTTP API port for Elasticsearch, a search and analytics engine. It provides a full REST API for querying and managing data.
Why does it matter?
Elasticsearch has no authentication by default. An exposed port gives anyone full read/write access to all indexed data via simple HTTP requests. Exposed Elasticsearch has caused massive data breaches affecting billions of records (medical data, voter records, financial data).
How to fix it
Block with UFW: sudo ufw deny 9200/tcp sudo ufw deny 9300/tcp # cluster port Bind to localhost in elasticsearch.yml: network.host: 127.0.0.1 If using Elastic Cloud or a paid licence, enable X-Pack security: xpack.security.enabled: true Restart Elasticsearch: sudo systemctl restart elasticsearch
What is this?
Port 11211 is the default port for Memcached, an in-memory caching system used to speed up web applications by storing frequently accessed data.
Why does it matter?
Memcached has no authentication. An exposed instance lets anyone read or manipulate your cache. It is also heavily abused for DDoS amplification attacks — attackers send small spoofed requests to Memcached which generates much larger responses, overwhelming the victim.
How to fix it
Block with UFW: sudo ufw deny 11211/tcp Bind to localhost when starting Memcached (in /etc/memcached.conf): -l 127.0.0.1 Restart Memcached: sudo systemctl restart memcached
Privacy & GDPR
What is this?
A cookie consent banner is a notice that informs visitors about cookie usage and asks for their consent before non-essential cookies (analytics, marketing, advertising) are set. Under GDPR (EU), PECR (UK), and similar laws, this consent must be freely given, specific, and informed.
Why does it matter?
The GDPR (General Data Protection Regulation) requires explicit consent before setting non-essential cookies. Violations can result in fines of up to €20 million or 4% of global annual turnover. Beyond legal requirements, it builds user trust and demonstrates transparency.
How to fix it
Use a consent management platform (CMP): Free options: - CookieYes (cookieyes.com) — free tier available - Osano (osano.com) — free for small sites - Cookie Consent by Osano (open source) Premium/advanced: - Cookiebot - OneTrust - Usercentrics For WordPress: install a GDPR consent plugin (e.g. Complianz, CookieYes plugin) Ensure your banner: - Does NOT pre-tick consent boxes - Makes 'Reject all' as easy as 'Accept all' - Lists exactly which cookies are used and why
What is this?
A privacy policy is a legal document that explains what personal data you collect from users, why you collect it, how it is used, who it is shared with, and how users can request deletion or access to their data.
Why does it matter?
A privacy policy is legally required in most jurisdictions: GDPR (EU/EEA), CCPA (California), LGPD (Brazil), PIPEDA (Canada), and more. Without one, you risk regulatory fines, loss of payment processor accounts (Stripe/PayPal require it), removal from ad platforms, and loss of user trust.
How to fix it
Create a privacy policy and link to it in your footer. Free generators: - TermsFeed (termsfeed.com) - Iubenda (iubenda.com) — free tier - GetTerms (getterms.io) Your policy must cover: 1. What data you collect (name, email, IP, cookies, etc.) 2. Why you collect it (legal basis under GDPR) 3. Who you share it with (hosting, analytics, payment processors) 4. How long you keep it 5. User rights (access, deletion, portability) 6. Contact information for a data protection officer or contact Update it whenever you add new services or change data practices.
What is this?
Tracking scripts are third-party JavaScript snippets embedded in your website that collect data about visitor behaviour — pages visited, time spent, clicks, demographics, purchases, and more. Common examples are Google Analytics, Meta Pixel (Facebook), and Hotjar.
Why does it matter?
Under GDPR, tracking scripts that process personal data (IP addresses, device fingerprints, cookies) require a legal basis — usually explicit consent. Loading tracking scripts before consent is obtained is a GDPR violation. Data Protection Authorities across Europe have issued fines specifically for this.
How to fix it
Only load tracking scripts after the user has given consent: 1. Use a tag manager (Google Tag Manager) that is controlled by your consent platform — the CMP fires the tag only after consent 2. Or use a consent-aware loading approach: if (userHasConsented()) { // load analytics script } 3. Consider privacy-friendly analytics that do not require consent: - Plausible Analytics (EU-hosted, no cookies) - Fathom Analytics - Matomo (self-hosted, can be cookie-free) 4. For Facebook Pixel specifically: only fire events after consent and enable 'Limited Data Use' mode for California users
Exposed Files
No sensitive files exposedWhat is this?
The .env file is a configuration file used by Laravel, Node.js, and many other frameworks to store environment-specific settings such as database credentials, API keys, secret tokens, and application configuration.
Why does it matter?
Exposing .env gives attackers your database password, secret keys, and API credentials in a single file. This allows immediate database access, session forgery, and abuse of third-party services billed to you. It is one of the most critical vulnerabilities a web server can have.
How to fix it
Nginx — add to your server block: location ~ /\.env { deny all; return 404; } Apache — add to .htaccess: <Files ".env"> Order allow,deny Deny from all </Files> Also rotate all credentials immediately: database password, API keys, APP_KEY, etc. Assume they are already compromised.
What is this?
The .git directory is the repository created by Git to track version history, branches, commits, and file contents. When exposed via a web server, attackers can reconstruct the entire source code by downloading the repository files.
Why does it matter?
A publicly accessible .git directory gives attackers your complete source code including every past commit — even if you deleted sensitive files, they remain in the commit history. Attackers can find hardcoded credentials, API keys, business logic, and vulnerability patterns in the code.
How to fix it
Nginx — block access to .git: location ~ /\.git { deny all; return 404; } Apache — add to .htaccess: RedirectMatch 404 /\.git Alternatively, deploy from a build artifact rather than cloning directly to the web root. The .git directory should never exist in a production web root.
What is this?
phpinfo() is a built-in PHP function that outputs a detailed page showing the PHP version, configuration directives, loaded extensions, environment variables, server paths, and build information.
Why does it matter?
The phpinfo output gives attackers a detailed map of your server: exact PHP version (for CVE targeting), enabled extensions, file paths, and environment variables (which may include credentials). This is an information disclosure vulnerability that makes all other attacks easier to tailor.
How to fix it
Delete phpinfo.php (and any similar files like info.php, test.php, i.php) from your web root immediately: rm /var/www/html/phpinfo.php Search for any others: find /var/www -name 'phpinfo.php' -o -name 'info.php' Never create diagnostic files on production servers. Use staging environments for diagnostics.
What is this?
SQL backup files (backup.sql, dump.sql, database.sql, etc.) are plain-text exports of database content produced by tools like mysqldump. When accessible via HTTP, the entire database can be downloaded.
Why does it matter?
A publicly downloadable database backup gives attackers all user data, emails, password hashes (or worse, plaintext passwords), order records, and any other data your application stores. This is a direct GDPR/privacy law violation and gives attackers everything needed to impersonate or contact your users.
How to fix it
Move backups outside the web root: mv /var/www/html/backup.sql /var/backups/ Search for other SQL files: find /var/www -name '*.sql' Store backups in a non-public location or use encrypted cloud storage (S3 with private ACL). Never store backup files in any publicly accessible directory.
What is this?
wp-config.php.bak is a backup copy of the WordPress configuration file. WordPress itself protects wp-config.php but backup files with .bak, .old, or .orig extensions are served as plain text by most web servers.
Why does it matter?
This file contains the MySQL database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST), authentication secret keys, and the database table prefix. With these credentials an attacker can access your entire WordPress database directly.
How to fix it
Delete the backup file immediately: rm /var/www/html/wp-config.php.bak Search for other wp-config variants: find /var/www -name 'wp-config*' To protect against accidental future exposure, add to .htaccess: <Files "wp-config.php"> Order deny,allow Deny from all </Files>
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Detected Technologies
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
70/100SPF record configured
SPF record found: "v=spf1 a mx ip4:213.159.24.249 include:_spf.mijnspamfilter.nl include:spf.protection.outlook.com include:spf.flowmailer.net include:_spf.xpslogic.com include:_spf.mijnwefact.nl -all".
DMARC record configured
DMARC record found with policy "reject": "v=DMARC1; p=reject".
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DNSSEC
DNSSEC could not be confirmed via this check. Verify with your domain registrar.
Fix: Enable DNSSEC through your domain registrar to protect against DNS cache poisoning.
SSL & HTTPS
60/100HTTPS / SSL enabled
The website is accessible over HTTPS.
SSL certificate valid
Certificate is valid and expires on 2026-05-08 (42 days left).
HTTP redirects to HTTPS
HTTP requests are not being redirected to HTTPS.
Fix: Configure a permanent (301) redirect from HTTP to HTTPS.
HSTS header configured
No Strict-Transport-Security (HSTS) header found.
Fix: Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
Content & CMS
55/100No mixed content detected
No insecure HTTP resources (scripts, images, stylesheets) found in the page HTML.
CMS admin panel not publicly accessible
A CMS admin panel is directly accessible at /wp-login.php. Ensure it requires strong authentication.
Fix: Restrict admin access by IP address, or add two-factor authentication.
CMS version not exposed
WordPress detected. Version "6.9.4" is exposed in the page source, which helps attackers target known vulnerabilities.
Fix: Remove the generator meta tag and strip ?ver= parameters from script/style URLs.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
11/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
No Content-Security-Policy header found.
Fix: Add a Content-Security-Policy header to restrict which resources the browser may load, preventing XSS attacks.
X-Frame-Options
No X-Frame-Options header found. The site may be vulnerable to clickjacking.
Fix: Add X-Frame-Options: DENY or SAMEORIGIN, or use CSP frame-ancestors.
X-Content-Type-Options
X-Content-Type-Options header is missing.
Fix: Add X-Content-Type-Options: nosniff to prevent browsers from MIME-sniffing responses.
Referrer-Policy
No Referrer-Policy header found.
Fix: Add Referrer-Policy: strict-origin-when-cross-origin to control how much referrer info is sent.
Permissions-Policy
No Permissions-Policy header found.
Fix: Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation.
Performance & SEO
100/100Fast server response time (TTFB)
Time To First Byte: 172 ms (measured from our scanner server) — excellent.
Response compression enabled
Compression is enabled (gzip) — reduces transfer size and speeds up page loads.
robots.txt present
A robots.txt file was found and is accessible.
XML sitemap present
An XML sitemap was found — helps search engines discover and index your pages.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (6)
What is this?
An HTTP to HTTPS redirect automatically sends visitors who type http:// (or click an old link) to the secure https:// version of your site.
Why does it matter?
If HTTP is not redirected, some visitors may unknowingly browse your site without encryption. It also causes duplicate content issues for SEO since the same page exists on both http:// and https://.
How to fix it
Add a 301 redirect in your server config: Nginx: return 301 https://$host$request_uri; Apache: Redirect permanent / https://yourdomain.com/ Or in .htaccess: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
What is this?
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS — even if the user types http:// or clicks an http:// link. The browser enforces this locally for the duration of max-age.
Why does it matter?
Even with an HTTP redirect in place, the very first request could go over HTTP before being redirected. A network attacker could intercept that first request (SSL stripping attack). HSTS prevents this by making the browser upgrade to HTTPS before making any request.
How to fix it
Add this header to your HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Only add HSTS after you are certain your entire site works over HTTPS, including all subdomains if you use includeSubDomains.
What is this?
Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.
Why does it matter?
CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.
How to fix it
Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.
What is this?
X-Frame-Options controls whether your website can be embedded in an <iframe>, <frame>, or <object> on another website.
Why does it matter?
Without this header, attackers can embed your site invisibly in an iframe on a malicious page and trick users into clicking buttons or links without knowing it (clickjacking). This can be used to perform actions on behalf of a logged-in user.
How to fix it
Add one of these response headers: X-Frame-Options: DENY — prevents all framing X-Frame-Options: SAMEORIGIN — allows framing only from the same domain Nginx: add_header X-Frame-Options "SAMEORIGIN" always; Apache: Header always set X-Frame-Options "SAMEORIGIN" Modern alternative: use CSP with frame-ancestors directive: Content-Security-Policy: frame-ancestors 'self';
What is this?
X-Content-Type-Options with the value "nosniff" tells browsers not to guess (sniff) the content type of a response, but to strictly use the Content-Type header the server sends.
Why does it matter?
Without this header, a browser might interpret an uploaded text file as JavaScript if it contains script-like content — a technique attackers can exploit to run malicious code even when file uploads are allowed.
How to fix it
Add this header to all responses: X-Content-Type-Options: nosniff Nginx: add_header X-Content-Type-Options "nosniff" always; Apache: Header always set X-Content-Type-Options "nosniff" Laravel: add to middleware or in .htaccess.
What is this?
The Referrer-Policy header controls how much information about the originating page is included in the Referer header when a user navigates away from your site or when resources are loaded.
Why does it matter?
Without a Referrer-Policy, the full URL of the current page (which may include session tokens, user IDs, or sensitive paths) is sent to external sites in the Referer header. This can leak private information to third-party analytics, CDN providers, or ad networks.
How to fix it
Recommended value: Referrer-Policy: strict-origin-when-cross-origin (sends origin only for cross-origin requests, full URL for same-origin) Nginx: add_header Referrer-Policy "strict-origin-when-cross-origin" always; Apache: Header always set Referrer-Policy "strict-origin-when-cross-origin" Alternatives: no-referrer (most private), same-origin (no cross-origin referrer).
Warnings (6)
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and have not been tampered with.
Why does it matter?
Without DNSSEC, DNS responses can be forged (DNS cache poisoning / BGP hijacking), redirecting your visitors to a fake server without them knowing. DNSSEC ensures the DNS record they receive is the one you published.
How to fix it
DNSSEC must be enabled at both your DNS registrar and your DNS hosting provider: 1. Enable DNSSEC at your domain registrar (Namecheap, GoDaddy, TransIP, etc.) 2. Enable DNSSEC signing at your DNS host (Cloudflare enables this automatically) 3. The registrar publishes DS records pointing to your zone\'s key If you use Cloudflare: enable DNSSEC with one click in the DNS tab. Note: DNSSEC is difficult to set up incorrectly — misconfiguration can take your domain offline. Follow your registrar\'s guide carefully.
What is this?
Common CMS admin panel paths like /wp-admin or /administrator are publicly accessible without any IP restriction.
Why does it matter?
A publicly accessible admin panel is a target for brute-force attacks and credential stuffing. Attackers continuously scan the web for these paths and run automated login attempts. If credentials are weak or reused, this is how sites get compromised.
How to fix it
Option 1: IP restriction (most secure) Nginx: location /wp-admin { allow your.ip.address; deny all; } Option 2: Two-factor authentication WordPress: install WP 2FA or Google Authenticator plugin Option 3: Move the admin URL (WordPress only) Install WPS Hide Login plugin to change /wp-admin to a custom path Option 4: HTTP Basic Auth as extra layer Add a password prompt before the admin panel is shown
What is this?
The WordPress version number is visible in the HTML source — either in the generator meta tag (<meta name="generator" content="WordPress 6.2">) or in script/style URLs as ?ver=6.2.
Why does it matter?
Knowing the exact WordPress version allows attackers to look up known CVEs (Common Vulnerabilities and Exposures) for that version and target known exploits. Version disclosure is an information leak that makes targeted attacks easier.
How to fix it
Remove the generator meta tag by adding to functions.php: remove_action('wp_head', 'wp_generator'); Remove ?ver= query strings from URLs: function remove_version_strings($src) { if (strpos($src, '?ver=') !== false) { $src = remove_query_arg('ver', $src); } return $src; } add_filter('style_loader_src', 'remove_version_strings'); add_filter('script_loader_src', 'remove_version_strings'); Alternatively use a security plugin like Wordfence or iThemes Security which does this automatically.
What is this?
Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs your site is allowed to use, and whether third-party content embedded in iframes can access them.
Why does it matter?
Without this header, embedded third-party scripts or iframes could theoretically request access to the camera, microphone, geolocation, payment APIs, and more. Restricting these features reduces your attack surface.
How to fix it
Example header that disables features not needed for most sites: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Only disable features you genuinely don't use. Adding this header is a low-effort, high-value improvement.
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/PgWNFz2T">
<img src="https://webcheckapp.com/scan/PgWNFz2T/badge" alt="Security score: 63/100">
</a>