From missing security headers to exposed configuration files, these are the vulnerabilities WebGuard finds most frequently — and they're all fixable in under an hour.
After scanning thousands of websites, the same issues come up again and again. The good news: most of them are straightforward to fix. Here are the top five.
How common: Found on approximately 73% of websites scanned.
HTTP security headers are instructions your server sends to browsers, telling them how to handle your content securely. The most impactful ones:
| Header | What it does |
|---|---|
Content-Security-Policy | Prevents cross-site scripting (XSS) attacks |
Strict-Transport-Security | Forces HTTPS, prevents downgrade attacks |
X-Frame-Options | Prevents clickjacking |
X-Content-Type-Options | Prevents MIME sniffing |
Referrer-Policy | Controls what referrer information is sent |
How to fix: Add these headers in your web server config or application middleware. WebGuard provides the exact lines of code for Apache, Nginx, Cloudflare Workers, and Node.js/Express.
How common: Found on approximately 68% of websites.
A Content Security Policy (CSP) is the single most effective defence against cross-site scripting (XSS) — the most common web application vulnerability. Without one, an attacker who finds a way to inject JavaScript into your page can steal session cookies, redirect users to phishing sites, or mine cryptocurrency in your visitors' browsers.
How to fix: Start with a permissive policy and tighten it:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline';
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline';
How common: Found on approximately 31% of websites — and these are the most dangerous.
Files that should never be publicly accessible but frequently are:
.env — contains database passwords, API keys, secret tokens.git/ — exposes your entire source code historywp-config.php.bak — WordPress configuration backupdatabase.sql — full database dump including user dataHow to fix: Block access to these paths in your web server config:
location ~ /\.(env|git|htaccess) {
deny all;
return 404;
}
location ~ /\.(env|git|htaccess) {
deny all;
return 404;
}
How common: SPF missing on 28% of domains; DMARC missing on 52% of domains.
Without proper email authentication, anyone can send emails that appear to come from your domain. This is used for phishing attacks against your customers and can get your legitimate emails marked as spam.
How to fix: Add DNS records:
v=spf1 include:_spf.google.com ~all (adjust for your mail provider)v=DMARC1; p=quarantine; rua=mailto:[email protected]How common: TLS 1.0 or 1.1 still enabled on approximately 19% of websites.
TLS 1.0 and 1.1 are cryptographically broken. They're vulnerable to POODLE, BEAST, and SWEET32 attacks. PCI-DSS compliance explicitly requires disabling them.
How to fix: In Nginx:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...;
WebGuard checks for all 102 of these issues in under 60 seconds. Scan your website now [blocked] — no account required.
Free scan, no account required. See exactly which issues affect your site.
Start Free ScanWordPress powers 43% of the web and is the most targeted CMS by attackers. This practical guide covers the essential steps to harden your WordPress site against the most common attack vectors.
UK online retailers face GDPR fines, PCI DSS obligations, and increasingly sophisticated skimming attacks. Here's how to protect your customers and your business.
Passwords alone are no longer sufficient protection. 2FA blocks over 99% of automated account takeover attacks. Here's how to implement it across your website and admin tools.