Security
SSL certificates, vulnerable libraries, security headers, and protecting your visitors.
Website security is both a technical necessity and a legal obligation. Under UK GDPR Article 32, businesses must implement 'appropriate technical measures' to protect personal data. An expired SSL certificate, outdated WordPress plugins, or missing security headers can expose your visitors' data, and expose your business to ICO action. Personal data breaches must be reported to the ICO within 72 hours, and affected individuals notified if there is a serious risk to their rights.
Key facts
- •Capita was fined £14M (provisional) by the ICO in 2025 for security failings around a 2023 cyber-attack — the largest UK GDPR security fine to date
- •46% of all websites have at least one high-severity vulnerability (Acunetix 2024)
- •WordPress plugins account for 97% of WordPress security vulnerabilities
- •Missing security headers like Content-Security-Policy leave sites vulnerable to XSS attacks
- •UK GDPR Article 32 requires encryption of personal data in transit — SSL/TLS is not optional
What we check
- ✓SSL/TLS certificate validity and configuration
- ✓Security headers (CSP, HSTS, X-Frame-Options, etc.)
- ✓Known vulnerable JavaScript libraries
- ✓Mixed content (HTTP resources on HTTPS pages)
- ✓SPF, DKIM, and DMARC email authentication records
Website security: good vs. bad examples
Expired or missing SSL certificate
Visitors see a "Not Secure" warning in their browser because the SSL certificate has expired or was never installed. UK GDPR Article 32 requires encryption of personal data in transit. Without SSL/TLS, form submissions and login credentials are sent in plain text.
Valid SSL with automatic renewal
A valid SSL/TLS certificate (e.g. Let's Encrypt) with automatic renewal configured. The browser shows a padlock icon. HSTS header ensures browsers always connect via HTTPS, even if someone types http://.
Outdated WordPress with known vulnerabilities
Running WordPress 5.x or plugins with known security flaws that have published CVE entries. Attackers scan for these automatically. An exploited vulnerability that leaks customer data triggers a mandatory breach notification within 72 hours.
Regular updates and patch management
WordPress core, themes and plugins updated within 48 hours of security releases. Automatic updates enabled for minor versions. Unused plugins removed entirely rather than just deactivated.
No security headers configured
Missing Content-Security-Policy, X-Frame-Options and HSTS headers. Without these, your site is vulnerable to cross-site scripting (XSS), clickjacking and protocol downgrade attacks. Most hosting providers do not set these by default.
Security headers properly configured
Content-Security-Policy blocks inline scripts and restricts resource origins. X-Frame-Options prevents clickjacking. HSTS with a long max-age and includeSubDomains. Referrer-Policy set to strict-origin-when-cross-origin.
Mixed content on HTTPS pages
An HTTPS website that loads images, scripts or stylesheets over HTTP. Browsers flag this as insecure and may block the resources entirely. It also breaks the encryption chain for any data transmitted on the page.
All resources loaded over HTTPS
Every image, script, stylesheet and font loaded via HTTPS. No mixed content warnings. External resources verified for HTTPS support before embedding. A Content-Security-Policy upgrade-insecure-requests directive as fallback.
Expired or missing SSL certificate
Visitors see a "Not Secure" warning in their browser because the SSL certificate has expired or was never installed. UK GDPR Article 32 requires encryption of personal data in transit. Without SSL/TLS, form submissions and login credentials are sent in plain text.
Outdated WordPress with known vulnerabilities
Running WordPress 5.x or plugins with known security flaws that have published CVE entries. Attackers scan for these automatically. An exploited vulnerability that leaks customer data triggers a mandatory breach notification within 72 hours.
No security headers configured
Missing Content-Security-Policy, X-Frame-Options and HSTS headers. Without these, your site is vulnerable to cross-site scripting (XSS), clickjacking and protocol downgrade attacks. Most hosting providers do not set these by default.
Mixed content on HTTPS pages
An HTTPS website that loads images, scripts or stylesheets over HTTP. Browsers flag this as insecure and may block the resources entirely. It also breaks the encryption chain for any data transmitted on the page.
Valid SSL with automatic renewal
A valid SSL/TLS certificate (e.g. Let's Encrypt) with automatic renewal configured. The browser shows a padlock icon. HSTS header ensures browsers always connect via HTTPS, even if someone types http://.
Regular updates and patch management
WordPress core, themes and plugins updated within 48 hours of security releases. Automatic updates enabled for minor versions. Unused plugins removed entirely rather than just deactivated.
Security headers properly configured
Content-Security-Policy blocks inline scripts and restricts resource origins. X-Frame-Options prevents clickjacking. HSTS with a long max-age and includeSubDomains. Referrer-Policy set to strict-origin-when-cross-origin.
All resources loaded over HTTPS
Every image, script, stylesheet and font loaded via HTTPS. No mixed content warnings. External resources verified for HTTPS support before embedding. A Content-Security-Policy upgrade-insecure-requests directive as fallback.
Related guides
Data Breach Reporting Under GDPR: 72-Hour Notification
Report a personal data breach under GDPR Article 33: the 72-hour clock, when notification is required, what to file and when to tell affected individuals.
Is a website trustworthy? 10 signals to check in 2026
Practical checks to verify a website is legitimate in 2026. HTTPS, privacy policy, Companies House registration, contact details and certificate validation.
My Website Says 'Not Secure'. Here's How to Fix It
Your browser shows 'Not Secure' for your website? Here's what it means and how to fix it step by step.
UK GDPR Article 32: Website Security the ICO Expects
UK GDPR Article 32 explained. What ICO security expectations look like, NCSC technical guidance, encryption, access controls and the patch-timing rules.
Website Hacked? UK Incident Response in the First 72 Hours
Website hacked? UK incident response in the first 72 hours. ICO Article 33 notification, Article 34 user alerts, Action Fraud reporting and NCSC steps.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
GDPR Requires a Secure Website: What You Need to Know
GDPR Article 32 requires you to protect personal data with appropriate security. Here's what that means for your website.
How to verify WordPress plugin security: NVD and CVE
Learn how UK site owners can check if WordPress plugins are genuinely vulnerable. NVD, Wordfence, Patchstack and ICO Article 32 guidance explained.
Vulnerable WordPress Plugins: How to Check and Fix Them
Vulnerable WordPress plugins are the top attack vector for small business sites and a GDPR Article 32 risk. How to check, patch and audit your plugins.
Website Hacked? Here's What to Do Right Now
Your website has been hacked or shows signs of malware. Here are the steps to take right now to contain the damage and get back online.
What Does a Website Security Scan Check?
What a website security scan actually checks: SSL, headers, vulnerable libraries, outdated CMS and more. Learn what the results mean and how to fix issues.
When your domain expires: UK and generic TLD timelines
Domain expiry follows different rules for UK and generic TLDs. Exact timelines, suspension periods, redemption costs, prevention.
SSL Certificate: What It Is, Why You Need It
An SSL certificate encrypts data between your website and visitors. Here's what it does, why you need one and how to get one for free.
Related from other areas
GDPR Compliance Checklist for Your Website (2026)
A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.
Does the European Accessibility Act Apply to Your Business?
The EAA became enforceable in June 2025. Find out if it applies to your business, what it requires and what happens if you don't comply.