/ Security Audit Fixes / Beginner Guide

Beginner's Guide to Fixing Website Security

If your Security Audit came back with red FAIL marks and you have no idea what to do next, this guide is for you. No jargon, no command-line wizardry, no assumptions about what you know. We will walk through the most common failures, explain what each one means in plain English, and tell you exactly what to do โ€” or exactly what to ask your hosting provider to do for you.

Before you start: three things to know

1. A failed security check does not mean you have been hacked. It means a door is unlocked that should be locked. Fixing it makes your site harder to attack tomorrow.

2. You do not need to be a developer. Most fixes are either a toggle in your hosting control panel, a copy-paste into a settings file, or a one-line request to your hosting provider's support team.

3. You do not have to fix every finding to be safer. The five fixes below cover 80% of typical audit failures and take an afternoon at most.

Fix 1: Missing security headers

If the audit shows red marks for things called Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy or Permissions-Policy, these are missing security headers.

Headers are short instructions your website sends to every visitor's browser. The browser obeys them โ€” for example, "do not let other websites embed me in a frame" or "only connect to me over HTTPS." Without these instructions, the browser uses default behaviour that is more permissive than it should be.

Easiest fix
Use a plugin or your hosting panel
If you use WordPress, install Really Simple SSL or Wordfence. Both have a one-click button labelled something like "Enable security headers." Tick all six.

If you use Plesk hosting, see the Plesk fix guide โ€” paste a small block of text into a settings field, click OK, done.

If neither of those describes you, use the message below to ask your hosting support team.
๐Ÿ“จ What to send to your hosting support team Hi, my website failed a security audit because it is missing recommended HTTP security headers. Please add the following six headers to my site at <yourdomain.com>: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Sensible default values are fine โ€” I trust you to choose them. Thank you.

Fix 2: The X-Powered-By header is leaking

This header tells anyone who asks exactly what software your site runs on. For example: X-Powered-By: PHP/7.4.0. Attackers scan the web for this header to find sites running specific software versions with known weaknesses. It is the digital equivalent of having your alarm system's brand on the front door.

If you use Plesk
One-line fix in panel.ini
See the dedicated Plesk guide โ€” three commands and the header is gone for every site on your server.
If you use WordPress
Remove it via your security plugin
Most security plugins (Wordfence, Sucuri) have a "Hide PHP/server version" option. Enable it. Or follow the WordPress fix guide for a code-level fix.
๐Ÿ“จ What to send to your hosting support team (if neither of the above) Hi, my website is leaking an X-Powered-By header that exposes my server's software version. Please add a "proxy_hide_header X-Powered-By" (if nginx) or "Header unset X-Powered-By" (if Apache) to my domain's configuration, and set "expose_php = Off" in php.ini. Thank you.

Fix 3: TLS or HTTPS warnings

TLS is the technology behind the padlock icon in your browser's address bar. The audit checks three things: your certificate is valid, it is not about to expire, and your server is using a modern version of TLS.

Most modern hosting handles this for you. If you see a TLS warning, the most common causes are:

๐Ÿ“จ What to send to your hosting support team Hi, my SSL/TLS check is failing. Please verify my certificate is valid, set to auto-renew, and that the server is only using TLS 1.2 and TLS 1.3 (please disable any older TLS or SSL versions). Thank you.

Fix 4: No security.txt file

security.txt is a tiny text file that tells security researchers how to contact you if they find a problem with your website. Without it, a researcher who finds a serious bug has no obvious way to tell you โ€” and may resort to making it public instead.

It is one of the simplest fixes on the entire list. Create a plain text file with these four lines (change the email and date):

Contact: mailto:security@yourdomain.com
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://yourdomain.com/.well-known/security.txt

Upload it to your website at the path /.well-known/security.txt. Most hosting file managers let you create folders and files directly โ€” create a folder named .well-known (yes, with the leading dot) in your site root, then upload the file inside it.

๐Ÿ’ก The Expires date must be no more than one year in the future. Set yourself a reminder to update the date and re-upload the file every year.

Fix 5: Mail security DNS records (SPF, DKIM, DMARC)

Even if your website does not send email, attackers can still send phishing emails pretending to come from your domain. Three DNS records prevent this:

If you use Google Workspace, Microsoft 365, or another mainstream email provider, they publish step-by-step instructions for adding SPF, DKIM and DMARC records to your DNS. The records go where your domain's DNS is hosted โ€” usually your domain registrar (GoDaddy, Namecheap, etc.) or your hosting control panel.

๐Ÿ“จ What to send to your email provider or hosting support Hi, I need to publish SPF, DKIM and DMARC TXT records for my domain <yourdomain.com> to prevent email spoofing. Please send me the exact values to add to my DNS, or apply them on my behalf if you manage my DNS. Thank you.

What you can safely ignore

Not every audit finding is equally important. If you are short on time, these are lower priority:

Glossary

Header
A short instruction your website sends to every visitor's browser, separately from the page content. Headers tell the browser things like "be careful with this content" or "always use HTTPS for me."
HTTPS / SSL / TLS
The technology behind the padlock icon. Encrypts the connection between visitor and website so nobody in the middle can read it. SSL is the old name; TLS is the modern version. People say "SSL" but usually mean TLS.
CMS (Content Management System)
The software you use to manage your website's content. WordPress, Joomla, Drupal, Shopify, Squarespace and Wix are all CMSes.
DNS
The address book of the internet. DNS translates your domain name into the numerical IP address of the server. DNS records also store things like email-sending permissions.
Fingerprinting
When your website tells anyone who asks exactly what software it runs and what version. Helpful for support, dangerous for security. Best practice is to hide the version, like an unlabelled box of expensive equipment.
XSS (Cross-Site Scripting)
An attack where someone injects malicious JavaScript into your website's pages. Security headers like Content-Security-Policy stop most XSS attacks before they start.
CSRF (Cross-Site Request Forgery)
An attack where one website tricks a user into doing something on a different site they are logged into. The SameSite cookie flag stops most CSRF.

Ready for more detail?

Each fix above has a more thorough guide if you want to understand what is actually happening:

๐Ÿ›ก Run the audit, then come back

If you haven't yet, run the Security Audit on your domain. You'll see exactly which of the fixes above apply to your site โ€” and which you can skip.

Run free security audit โ†’
Related Guides: All Fix Guides  ยท  Expert Reference  ยท  Security Audit Guide  ยท  What is Web Security?
๐Ÿ’ฌ Got a problem?