← Back to Checklists
Cloudflare + Website Security Baseline Checklist
A practical starting checklist for reviewing DNS, Cloudflare, website security headers, WordPress exposure, backups, and admin access. Click each item to track your progress.
A DNS and domain basics
- Confirm registrar account has MFA enabled.
- Confirm domain expiry date and auto-renewal status.
- Export or back up all DNS records.
- Review old, unused, or suspicious DNS records.
- Check SPF, DKIM, and DMARC records if email is in use.
B Cloudflare baseline
- Confirm proxy status (orange cloud) is enabled for public web records.
- Enable Always Use HTTPS redirect.
- Review WAF and Security Level settings.
- Check rate-limiting or Bot Protection options.
- Review Page Rules, Redirects, and Transform Rules for stale entries.
C Website security headers
- Strict-Transport-Security — HSTS is set with a suitable max-age.
- Content-Security-Policy — CSP restricts inline scripts and untrusted origins.
- X-Content-Type-Options — set to
nosniff. - Referrer-Policy — set to
strict-origin-when-cross-originor stricter. - Permissions-Policy — restricts camera, microphone, geolocation where not needed.
D WordPress checks
- Confirm WordPress core, all plugins, and themes are updated.
- Remove unused plugins and themes.
- Confirm all admin accounts are expected and active.
- Confirm backups exist and a restore has been tested.
- Review Wordfence or security plugin alerts and scan results.
E Recovery checks
- Confirm a DNS record backup exists and is stored off-platform.
- Confirm a website/database backup exists and is restorable.
- Confirm the restore process is documented and known to at least two people.
- Confirm emergency contact paths to registrar, host, and Cloudflare are documented.
- Confirm account recovery options (MFA backup codes) are stored securely.