← Blog
FundamentalsDNSTLS1 Apr 2026 · 6 min read

The twenty-minute audit I do on every new client website

The short, opinionated checklist I actually run on a small business website before I bill them for anything bigger. Not a best-practices listicle. The things I've found broken on sites with real revenue, in order.

Before I'll take on a small business as a client, I run a twenty-minute check on their public site. Not because I'm billing for it. Because if there's something embarrassing about to surface, I'd rather know before the engagement starts than after. Out of maybe sixty of these I've done since 2023, three came back clean. Two of those three had been built the same month.

Here's what I look at, and what I find.

HTTPS that doesn't bend

I type the bare domain and see if the browser redirects. I type wwwand check the cert covers it. Then I look for the HSTS header. Missing HSTS is the single most common finding. The cert's there, HTTPS works, but an attacker on the same coffee-shop wifi can still downgrade someone's first visit and harvest whatever they submit. HSTS takes two minutes to turn on at Cloudflare. Every time I mention it in a report, the response is some version of "wait, we don't have that?"

While I'm in the TLS config, I check for TLS 1.0 and 1.1. If they're still accepted in 2026, something about the hosting stack is unloved.

The three DNS records most SMBs get wrong

Next I check SPF, DKIM, and DMARC on the main domain. The failure mode is always the same. SPF exists. DKIM is broken or missing. DMARC is at p=nonewith no reporting address, which is the same as not having DMARC at all. This means any stranger with a mail server can send invoices from their domain, and every customer's mail client will show it as legitimate. For a trades business, that's one email to their biggest customer away from a six-figure problem.

I wrote a longer thing about the roll-out. Short version: publish SPF, turn on DKIM in Google or Microsoft, DMARC at p=none with reports first, then tighten over eight weeks.

What else is on this domain

This is where most of the real damage lives. I point subfinder and amass at the domain and look at what comes back. A construction firm in Australia had 87 subdomains in their zone. They thought they had three. Of those 87, about twenty were live, three were serving a WordPress install from 2019, and one was an exposed Jenkins pointing at a cloud credential that still worked.

If you don't know what you own, you cannot defend it, and an attacker finding the list before you do is not hypothetical. I run this same enumeration on every scope call. Do it yourself with crt.sh if you want, or use the free check for a fast first pass.

The exposed things nobody wants to hear about

I grep the main site's JavaScript and HTML for the strings "api_key", "secret", "AKIA", "ghp_", and similar. About one in eight SMBs leak some kind of credential in public JS. Usually an analytics API key or a partner token, sometimes worse. Then I curl /.git/config, /.env, /wp-config.php.bak, and /backup.zip. When one of these returns a 200, the conversation stops being about the website.

Admin login exposure

For WordPress sites, I go straight to /wp-login.php. Ninety-something percent answer. Then I check if the username adminexists by trying a login and reading the error (WordPress tells you). If there's no rate limiting, no MFA, and the admin username exists, this is a brute-force target that will fall in a weekend. A password manager and a firewall plugin like Wordfence or a Cloudflare rule fixes this in twenty minutes.

What I skip

I don't run authenticated tests. I don't fuzz forms. I don't look at business logic. That's a pentest, and it's a different engagement. The twenty-minute pass is strictly what an attacker sees in their first hour of reconnaissance, and it turns up plenty.

What to fix first if you're doing this on your own site

  • If HSTS is missing, turn it on this afternoon. It is free and prevents an entire category of attack.
  • If DMARC is at none, start the roll-out today. Month two you'll be at reject.
  • If any of those backup files return a 200, delete them from the server before lunch.

Everything else can wait a week. These three can't.

Run your own external scan.

AttackEdge continuously scans what your business exposes to the internet, then translates the findings into plain English. See what attackers see, without hiring a security team.

Start a scan Try the free check

Related reading

The five HTTP headers that fix most of your browser-side problems
Most of the browser-side attacks against small business sites are stopped by five lines of server config. Here is what each one does, which ones I still see missing in 2026, and the one that most people turn on wrong.
SPF, DKIM, DMARC: the afternoon that stops people sending invoices as you
The FBI tracks billions of dollars a year lost to attackers who email your customers pretending to be you, and the ACCC logs tens of millions more from Australian businesses. The DNS records that bounce the forged mail take four hours to set up, cost nothing, and most businesses still don't have them.
Attack surface management, without the vendor slideware
What ASM actually is when you strip the gartner quadrant off it, why I think small businesses need it more than the enterprise ones that buy it, and how to start without hiring anyone.