How to Fix Every Security Audit Finding

Pick your platform below. Each guide walks through the specific fix instructions for every finding the AIWebPageSEO Security Audit raises — HTTP security headers, TLS configuration, cookie flags, mixed content, server fingerprint, CMS version exposure, mail security DNS records and security.txt. Whether you administer the server yourself or use a control panel, there is a path here for you.

New here?

Start with the Security Audit Guide for the full overview, the example report to see what a perfect score looks like, or the beginner tutorial for the basics. Then pick the fix guide that matches your stack.

By skill level

Same checks, different presentation. Choose the format that matches how you prefer to learn:

📘 Beginner Guide: Step-by-step fixes LIVE

Copy-and-paste instructions for the most common audit failures. No jargon, no assumptions about command-line experience. Covers what to ask your hosting provider when you cannot fix something yourself.

⚡ Expert Guide: Dense reference LIVE

Terse, dense reference for sysadmins. Assumes nginx/Apache fluency. Covers edge cases, trade-offs, header inheritance gotchas and the patterns that look right but fail in production.

By server / control panel

Where the fixes are actually configured — at the web server or hosting control panel layer:

🔧 How to fix security headers in Plesk LIVE

Plesk Obsidian: panel.ini configuration, Additional nginx directives, removing X-Powered-By PleskLin permanently, configuring CSP and HSTS via the UI, and securing every domain on a multi-tenant Plesk install.

🟧 How to fix security headers in cPanel LIVE

cPanel and WHM: .htaccess header rules, ModSecurity tuning, Apache and LiteSpeed configuration, removing server signature.

🟦 How to fix security headers in DirectAdmin LIVE

DirectAdmin custom configuration, header rules at the user level, server-wide template overrides.

🟩 How to fix security headers in bare nginx LIVE

Self-managed nginx: add_header directives at server and location level, the inheritance trap, server_tokens off, ssl_protocols configuration.

🟥 How to fix security headers in bare Apache LIVE

Self-managed Apache: mod_headers, .htaccess vs httpd.conf, ServerTokens Prod, ServerSignature Off, removing ETag fingerprinting.

☁ How to fix security headers via Cloudflare LIVE

Cloudflare Transform Rules and Response Header Modification: layering headers in front of any origin, the precedence order between origin and edge, free-tier vs Pro tier limits.

By CMS

Where fixes are applied inside the application — useful when your hosting locks you out of the server config:

📰 How to fix security headers in WordPress LIVE

WordPress: removing the generator meta tag, security headers via functions.php or a plugin (Really Simple SSL, Wordfence, Sucuri), wp-config.php hardening, hiding the WP version everywhere.

🟪 How to fix security headers in Joomla LIVE

Joomla 4 / 5: HTTP Headers plugin, Global Configuration settings, removing version meta, recommended security extensions.

💧 How to fix security headers in Drupal LIVE

Drupal 10 / 11: Security Kit (seckit) module, services.yml configuration, removing X-Drupal-Cache and X-Generator headers.

👻 How to fix security headers in Ghost LIVE

Ghost blogs: routes.yaml, nginx in front of Ghost, Ghost(Pro) managed hosting limitations.

💬 How to fix security headers on forum software LIVE

phpBB, Discourse, Flarum, vBulletin: forum-specific gotchas, cookie security for logged-in users, CSP that does not break embedded media or quote functionality.

Managed and closed platforms

For Shopify, Wix, Squarespace, Webflow, Substack, Medium, Blogger, BigCommerce, WP Engine, Kinsta and similar managed hosts: most of the security checks our audit covers are handled by the platform itself. You generally cannot — and do not need to — configure HTTP security headers, TLS protocols or server fingerprinting on these platforms. A dedicated guide for managed platforms is planned; until then, the short answer is:

HTTP security headers, TLS protocols, mixed content protection and server fingerprinting are managed for you
What you CAN typically still control: cookies set by your own app code or third-party integrations, mail security DNS records (SPF/DMARC/DKIM) on your domain, and publishing a security.txt where the platform allows custom files at /.well-known/
Score below 100? Most often the only finding is the platform's X-Powered-By branding (Shopify, BigCommerce etc. add their own), which you cannot remove — accept it as a platform finding

What our Security Audit checks

Every guide above maps back to the same set of 23 checks across 9 families. If you want the full reference of what is being checked and why, read the complete Security Audit Guide. To see a perfect-score report, see the example audit report.

🛡 Run the audit first

Before you start fixing, run the audit and see exactly what fails on your domain. Fixes you need will be specific — not every check matters for every site.

Run free security audit →