Register for the waitlist now

← Back to Blog

How do I know my website is secure?

Authored by Daniel Bunte, Last updated: 2025-08-03

Tags:website-securityTLS-certificates

You had plans for this evening, but now you are here, looking for answers, because some browser shows scary warnings about your website. You want to know how to check if your website is secure, and you want to do it now!

You’ve come to the right place. In this guide, we’ll give you a comprehensive overview of how to manually check your website’s security. For each step, we’ll also link out to more detailed articles if you want to dive deeper.

The error message

Based on the error message you see (or got reported to you), you can start to investigate the issue. Here are some common error messages and what they might mean:

  • “Your connection is not private”: This usually means that your website’s SSL/TLS certificate is either expired, misconfigured, or not trusted by the browser.
  • “This site is not secure”: This can indicate that your website is not using HTTPS, or that there are mixed content issues (some resources are loaded over HTTP while the main page is loaded over HTTPS).
  • “This site may be hacked”: This warning can appear if the browser detects suspicious activity on your site, such as malware or phishing attempts.

How to check your website’s security

To manually check your website’s security, you can follow these steps:

Check your TLS (SSL) certificate

The padlock icon in the browser’s address bar is your first clue. If it’s missing, broken, or shows a warning, you likely have an issue with your SSL/TLS certificate. This digital certificate is responsible for encrypting traffic and verifying your site’s identity. Common problems include:

  • The certificate has expired.
  • It’s not configured for the correct domain or subdomains.
  • It wasn’t issued by a trusted Certificate Authority (CA).

These issues will trigger browser warnings and erode visitor trust.

For a step-by-step guide on how to inspect your certificate’s details in the browser, see our dedicated article: How To Check Your TLS (SSL) Certificate Validity.

Inspect your website’s content

Look for mixed content issues by checking if all resources (images, scripts, stylesheets) are loaded over HTTPS. You can do this by opening your website in a browser, right-clicking, and selecting “Inspect” or “Inspect Element.” Then, go to the “Console” tab and look for any warnings about mixed content. If you see any, you’ll need to update those resources to load over HTTPS.

If you want to do it thoroughly, switch to the “Network” tab and reload the page. Look for any requests that are not using HTTPS. You can filter the requests by protocol to make it easier to spot HTTP requests.

Scan for malware and vulnerabilities

This is not an easy one to do manually, because malware comes in all forms and sizes and can be hidden in various places on your website. However, you can start by checking for unusual files or directories in your website’s file structure. Look for files that you did not create or that have suspicious names. You might also want to use the browser’s developer tools to check for any suspicious scripts or iframes that might be injected into your pages. If the network tab shows requests to unfamiliar domains or scripts, that could be a sign of malware. Some malware hides cryptominers, or other very resource-intensive scripts, which can cause your website to slow down or become unresponsive. You can check for this by looking for a “task manager” or “performance” tab in your browser’s developer tools. If you see high CPU usage or long-running scripts, that could indicate a problem.

Check open ports

Ideally, your web server should only have the necessary ports open (nowadays it should only be 443 for HTTPS, unless you have several services like email running on your server). You can use tools like Nmap to scan your website’s IP address and see which ports are open. If you find any unexpected open ports, it could indicate a security issue.

Check for phishing attempts

If you suspect your site has been compromised, look for signs of phishing, such as unexpected redirects, unfamiliar content, or login forms that you did not create.

Review your website’s access logs

Check your server’s access logs for any suspicious activity, such as repeated failed login attempts or requests from unusual IP addresses. This can help you identify potential security threats.

Update your software

Ensure that your web server, content management system (CMS), and any plugins or themes are up to date. Outdated software can have security vulnerabilities that attackers can exploit.

Conclusion

By following these steps, you can manually check your website’s security and identify any potential issues. However, keep in mind that manual checks can be time-consuming and may not catch all security vulnerabilities. For continuous monitoring and automated checks, consider using a website monitoring service like SiteWatch.pro. It can help you stay on top of your website’s security and performance without the hassle of manual checks.

Portrait of Daniel Bunte

Daniel is the founder of SiteWatch.pro and has over 20 years of experience in web development and cybersecurity. He is passionate about making the web a safer place for everyone. Having knowledge in most major programming languages (Rust, Kotlin, Java, PHP, and more), he is a full-stack developer with a focus on security and performance. Daniel has deep experience from different industries, like e-commerce, gaming, energy, and more. He also holds a CompTIA PenTest+ certification, which showcases his expertise in penetration testing and security assessments.
Connect on LinkedIn.