Website Security Checklist for Australian Businesses (2026)

A complete website security checklist for Australian businesses covering SSL, headers, authentication, data protection, and compliance

This checklist covers the essential security controls every Australian business website needs — from basic HTTPS enforcement to Australian Privacy Act compliance. Each item is actionable and ordered by priority: fix critical items first, then work through the rest. According to the ACSC, 1 in 5 Australian SMBs experienced a cyber incident in 2025, with the average cost per incident exceeding $46,000.

Critical — fix immediately

SSL/TLS configuration

• ☐ HTTPS enforced on all pages (no HTTP fallback)
• ☐ TLS 1.2 or 1.3 only — TLS 1.0 and 1.1 disabled
• ☐ SSL certificate valid and auto-renewing
• ☐ HSTS header enabled: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
• ☐ No mixed content warnings (all resources loaded over HTTPS)

Authentication security

• ☐ Admin login URLs changed from defaults (/wp-admin, /admin)
• ☐ Brute force protection enabled (account lockout after 5 failed attempts)
• ☐ Two-factor authentication on all admin accounts
• ☐ Strong password policy enforced (minimum 12 characters)
• ☐ Session cookies set with HttpOnly, Secure, and SameSite flags

High priority — address within one week

Security headers

• ☐ Content-Security-Policy — prevents XSS and code injection
• ☐ X-Frame-Options: DENY — prevents clickjacking
• ☐ X-Content-Type-Options: nosniff — prevents MIME sniffing
• ☐ Referrer-Policy: strict-origin-when-cross-origin
• ☐ Permissions-Policy — disables unused browser features (camera, microphone, geolocation)

Software updates

• ☐ CMS updated to latest version (WordPress, Shopify, etc.)
• ☐ All plugins and themes updated
• ☐ Unused plugins and themes removed entirely
• ☐ Server software (PHP, Node.js, nginx) up to date
• ☐ Automatic updates enabled where available

Input validation

• ☐ All form inputs validated server-side (not just client-side)
• ☐ File uploads restricted by type and size
• ☐ SQL injection protection on all database queries (parameterised queries)
• ☐ Cross-site scripting (XSS) prevention — user input escaped before display
• ☐ CSRF tokens on all forms that change data

Medium priority — address within one month

Information exposure

• ☐ Server version headers removed (X-Powered-By, Server)
• ☐ Directory listing disabled
• ☐ Error pages show generic messages (no stack traces or debug info)
• ☐ Backup files not accessible from the web (.bak, .old, .sql)
• ☐ Configuration files not exposed (.env, wp-config.php, .git)

Email security

• ☐ SPF record configured — specifies which servers can send email for your domain
• ☐ DKIM configured — digitally signs outgoing emails
• ☐ DMARC policy set — tells receiving servers what to do with failed authentication
• ☐ No open mail relay on your server

Backup and recovery

• ☐ Automated daily backups running
• ☐ Backups stored offsite (not just on the same server)
• ☐ Backup restoration tested at least once
• ☐ Recovery time documented — how long to restore after an incident

Australian compliance requirements

Australian Privacy Act 1988

• ☐ Privacy policy published and accessible from every page
• ☐ Data collection minimised — only collecting what's necessary
• ☐ User consent obtained before collecting personal information
• ☐ Data stored securely with encryption at rest
• ☐ Process in place for responding to access and correction requests

Notifiable Data Breaches (NDB) scheme

• ☐ Data breach response plan documented
• ☐ Process for assessing whether a breach is "likely to result in serious harm"
• ☐ OAIC notification template prepared
• ☐ Staff trained on breach identification and escalation

Ongoing — repeat quarterly

• ☐ Run automated vulnerability scan
• ☐ Review and rotate all passwords and API keys
• ☐ Review user access — remove accounts no longer needed
• ☐ Check all third-party integrations still necessary and up to date
• ☐ Review server logs for unusual access patterns
• ☐ Test backup restoration