What free tools can I use to audit my website's security?

You can audit your website's security for free using several online tools. SecurityHeaders.com scans your HTTP security headers and grades your site from A+ to F. Qualys SSL Labs (ssllabs.com/ssltest) tests your SSL certificate and encryption configuration. MXToolbox.com checks your email authentication records including SPF, DKIM, and DMARC. Google PageSpeed Insights (pagespeed.web.dev) checks performance and flags some security issues. You can also view your page source in any browser to check for tracking scripts, exposed version numbers, and other issues.

How long does a basic website security audit take?

A basic website security audit using free tools takes about 30 minutes. This covers security headers (2 minutes), SSL/TLS certificate check (1 minute), email authentication including SPF and DMARC (3 minutes), page source analysis (5 minutes), checking for exposed login pages (2 minutes), DNS record review (3 minutes), and Google PageSpeed analysis (2 minutes). This gives you a clear picture of a website's security posture, email authentication, GDPR compliance, and general health.

Tools & Process

The Free Tools I Use to Audit Any Website in 30 Minutes

Q: What should I look for when viewing a website's page source?

When viewing a website's page source, search for 'gtag', 'googletagmanager', or 'fbq' to find tracking scripts and note their line numbers. Then search for 'consent' or 'cookie' to find the consent manager. If tracking scripts appear on lower line numbers than the consent script, tracking fires before consent, which is a PECR violation. Also search for 'generator' which often reveals the CMS and version number, 'powered-by' which can reveal server technology, and HTML comments where developers sometimes leave version numbers, TODO notes, or even API keys.

My actual audit process, step by step. Security headers, SSL, email authentication, page source, exposed login pages, DNS records. All free, all in 30 minutes.

Nicholas Hartnell · 18 March 2026 · 8 min read

People ask me what tools I use for website audits. The answer is nothing fancy. No expensive subscriptions, no enterprise software. Just a browser, a terminal, and a handful of free websites.

Here’s my actual process, step by step. You can do this yourself on your own website right now.

Step 1: Security headers (2 minutes)

Go to securityheaders.com and enter your website URL.

You’ll get a grade from A+ to F and a breakdown of which headers are present and which are missing. Most small business websites score F. The important ones to look for:

Strict-Transport-Security (HSTS) — forces HTTPS
Content-Security-Policy (CSP) — controls what scripts can run
X-Frame-Options — prevents your site being embedded in iframes
X-Content-Type-Options — prevents MIME sniffing attacks
Referrer-Policy — controls what data is sent to third parties

If you’re missing all of these, your site is running with the doors unlocked. Not necessarily a disaster, but not where you want to be.

Step 2: SSL/TLS certificate (1 minute)

Go to ssllabs.com/ssltest and enter your domain.

This checks your SSL certificate and the encryption your site uses. You want to see TLS 1.2 or 1.3. If you see TLS 1.0 or 1.1, those are outdated and insecure. You also want to see your certificate is valid and not about to expire.

Most sites pass this one because hosting providers handle it automatically. But I’ve found a few running expired certificates or supporting ancient TLS versions. Takes a minute to check.

Step 3: Email authentication (3 minutes)

Go to mxtoolbox.com and run three checks:

MX Lookup — shows where your email is hosted
SPF Record Lookup (mxtoolbox.com/spf.aspx) — checks if you have an SPF record
DMARC Record Lookup (mxtoolbox.com/dmarc.aspx) — checks your DMARC policy

What you want to see:

SPF record present with -all (hard fail) at the end
DMARC record present with p=reject (not p=none or p=quarantine)
DMARC should include a rua= address for receiving reports

What I usually find: SPF is there but weak, DMARC is missing entirely, and nobody has any idea whether their domain is being spoofed. I recently found a business that sends invoices to customers with no DMARC at all. Anyone could send a fake invoice from their domain and most email providers wouldn’t blink.

Step 4: View the page source (5 minutes)

Right-click on your website, select “View Page Source.” This is where the real findings live.

I search for:

gtag or googletagmanager or fbq — tracking scripts. Note the line number.
consent or cookie — consent manager. Note the line number.
generator — often reveals your CMS and version (e.g., WordPress 6.1)
powered-by — sometimes reveals server technology
Comments — developers leave notes in the code. I’ve found version numbers, TODO notes, and once an API key sitting in an HTML comment.

If the tracking scripts are on lower line numbers than the consent script, tracking fires before consent. That’s a PECR violation. I find this on every single site I audit.

Step 5: Check for exposed login pages (2 minutes)

Try visiting these URLs on your website:

yourdomain.com/wp-login.php (WordPress)
yourdomain.com/wp-admin (WordPress)
yourdomain.com/administrator (Joomla)
yourdomain.com/admin (generic)

If any of these load a login page, it’s publicly accessible. That means anyone can try to brute-force passwords. Combined with no rate limiting and no two-factor authentication — which is the usual situation — this is a real risk.

I check a few other paths too:

yourdomain.com/.env — if this returns 403 (Forbidden) instead of 404 (Not Found), the config file exists on the server. It’s blocked, but it’s there. One misconfiguration and it’s readable.
yourdomain.com/robots.txt — often reveals directory structure and admin paths
yourdomain.com/sitemap.xml — sometimes lists pages that shouldn’t be public

Step 6: DNS records (3 minutes)

If you’re comfortable with a terminal, run:

nslookup -type=TXT yourdomain.com — shows SPF, verification records, sometimes reveals services you’ve forgotten about
nslookup -type=MX yourdomain.com — shows where email goes
nslookup -type=TXT _dmarc.yourdomain.com — shows DMARC policy

If you’re not comfortable with a terminal, mxtoolbox.com does all of this through a web interface.

I once found a LogMeIn verification record in a company’s DNS. They’d set up remote access at some point and never removed the record. That’s not a vulnerability on its own, but it tells an attacker there might be a remote access service running somewhere on the network.

Step 7: Google PageSpeed (2 minutes)

Go to pagespeed.web.dev and enter your URL.

This isn’t strictly a security check but it tells you a lot about how the site is built. A poorly built site is often a poorly secured site. Look at the performance score on mobile — anything under 50 suggests the site is bloated or badly optimised.

The diagnostics section sometimes reveals interesting things too. Third-party scripts that slow the page down, unoptimised images, render-blocking resources.

What I do with all of this

After running through these steps I have a clear picture of a website’s security posture, email authentication, GDPR compliance, and general health. The whole process takes about 30 minutes.

I write it up in a report with plain English explanations and step-by-step fix instructions, then send it to the business owner for free. Most of the time, they had no idea about any of it.

If you can’t be bothered to run through all of this yourself, that’s literally what I’m here for. Free audit, no invoice, no obligation.

Get a free, independent website audit

I’ll run all seven of these steps on your website and send you a plain English report with fix instructions. Free, no obligation.

Request your free audit

← Back to StagHill Software