← Back to Checklists

Cloudflare + Website Security Baseline Checklist

A practical starting checklist for reviewing DNS, Cloudflare, website security headers, WordPress exposure, backups, and admin access. Click each item to track your progress.

Progress 0 of 25 complete

A DNS and domain basics

  • Confirm registrar account has MFA enabled.
  • Confirm domain expiry date and auto-renewal status.
  • Export or back up all DNS records.
  • Review old, unused, or suspicious DNS records.
  • Check SPF, DKIM, and DMARC records if email is in use.

B Cloudflare baseline

  • Confirm proxy status (orange cloud) is enabled for public web records.
  • Enable Always Use HTTPS redirect.
  • Review WAF and Security Level settings.
  • Check rate-limiting or Bot Protection options.
  • Review Page Rules, Redirects, and Transform Rules for stale entries.

C Website security headers

  • Strict-Transport-Security — HSTS is set with a suitable max-age.
  • Content-Security-Policy — CSP restricts inline scripts and untrusted origins.
  • X-Content-Type-Options — set to nosniff.
  • Referrer-Policy — set to strict-origin-when-cross-origin or stricter.
  • Permissions-Policy — restricts camera, microphone, geolocation where not needed.

D WordPress checks

  • Confirm WordPress core, all plugins, and themes are updated.
  • Remove unused plugins and themes.
  • Confirm all admin accounts are expected and active.
  • Confirm backups exist and a restore has been tested.
  • Review Wordfence or security plugin alerts and scan results.

E Recovery checks

  • Confirm a DNS record backup exists and is stored off-platform.
  • Confirm a website/database backup exists and is restorable.
  • Confirm the restore process is documented and known to at least two people.
  • Confirm emergency contact paths to registrar, host, and Cloudflare are documented.
  • Confirm account recovery options (MFA backup codes) are stored securely.