Compliance7 min read20 April 2026

UK Cyber Essentials: What Your Website Needs to Pass

Cyber Essentials is the UK government-backed certification that demonstrates your organisation takes basic cyber security seriously. Here's exactly what your website needs to achieve it.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme, run by the National Cyber Security Centre (NCSC), that helps organisations protect against the most common cyber threats. It covers five key technical controls:

  1. Firewalls — boundary firewalls and internet gateways
  2. Secure configuration — default settings changed, unnecessary features disabled
  3. User access control — least privilege, MFA for internet-facing services
  4. Malware protection — anti-malware software or application whitelisting
  5. Patch management — software and devices kept up to date

There are two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified). Many UK government contracts now require at least Cyber Essentials certification.

Why Your Website Matters for Certification

Your public-facing website is explicitly in scope for Cyber Essentials if it:

  • Is hosted on infrastructure you control (VPS, dedicated server, on-premise)
  • Processes or stores personal data
  • Is accessible from the internet (which it is, by definition)

Cloud-hosted websites (e.g. on Wix, Squarespace, or managed WordPress hosting) may be out of scope if the hosting provider holds the Cyber Essentials certification themselves — but you should verify this with your assessor.

Website Requirements for Cyber Essentials

Secure Configuration (Control 2)

This is where most websites fail. The requirement is to:

  • Remove or disable unnecessary software, services, and features
  • Change default credentials on all systems
  • Disable auto-run and auto-play features

For your website this means:

  • Remove unused plugins, themes, and software
  • Change default admin usernames (e.g. "admin" on WordPress)
  • Disable directory listing on your web server
  • Remove version disclosure from HTTP headers and HTML source
  • Disable debug mode in production
  • Remove or restrict access to admin panels

Patch Management (Control 5)

All software must be licensed and supported, with security patches applied within 14 days of release.

  • Web server software (Apache, Nginx, IIS) is up to date
  • CMS (WordPress, Drupal, etc.) is on the latest stable version
  • All plugins and extensions are up to date
  • PHP/Node.js/Ruby version is supported and patched
  • SSL/TLS libraries are current (no TLS 1.0/1.1)

User Access Control (Control 3)

For internet-facing services (including your website's admin panel):

  • Multi-factor authentication is enabled for all admin accounts
  • Admin accounts use unique, strong passwords
  • Unused admin accounts are removed
  • Admin access is restricted by IP where possible

Firewalls (Control 1)

  • A firewall or WAF is in place in front of your web server
  • Only necessary ports are open (80, 443 for web; close everything else)
  • SSH access is restricted to known IP addresses

Common Failures on Cyber Essentials Assessments

IssueControlFix
TLS 1.0/1.1 still enabledPatch ManagementDisable in web server config
Default admin credentialsSecure ConfigChange immediately
Outdated CMS or pluginsPatch ManagementUpdate within 14 days of release
No MFA on admin panelUser Access ControlEnable 2FA
Directory listing enabledSecure ConfigDisable in web server config
Exposed .env or .git filesSecure ConfigBlock via web server rules
Debug mode enabledSecure ConfigSet to production mode

Getting Certified

  1. Choose a Certification Body — IASME, CREST, and others are authorised by the NCSC. Find one at ncsc.gov.uk/cyberessentials.
  2. Complete the self-assessment questionnaire — covers all five controls across your in-scope systems.
  3. For Cyber Essentials Plus — an assessor will conduct technical verification including vulnerability scanning.

Check Your Readiness Now

WebGuard's free scan checks many of the technical requirements above — TLS version, security headers, version disclosure, directory listing, exposed files, and more.

Run a free scan [blocked] to see how your website measures up against Cyber Essentials requirements before your assessment.

Share this article
Share on XShare on LinkedIn

Check Your Website Now

Free scan, no account required. See exactly which issues affect your site.

Start Free Scan

Related Articles

Compliance

GDPR & Website Security: What UK Businesses Need to Know

Under UK GDPR, 'appropriate technical measures' to protect personal data is not optional — it's a legal requirement. Here's what that means for your website in plain English.

Read article
Compliance

GDPR Website Compliance Checklist for UK Businesses (2025)

A practical, actionable checklist covering the technical website requirements UK businesses must meet under GDPR — from cookie consent to SSL certificates and data breach readiness.

Read article
SEO & Trust

Why Your Website's Security Score Matters for SEO and Trust

Google uses HTTPS and security signals as ranking factors. A poor security posture doesn't just put your visitors at risk — it actively hurts your search rankings and conversion rates.

Read article