Offering security audits positions you as an expert, not just a hosting provider. It builds trust, upsells security add-ons, and prevents incidents that create expensive emergency support tickets.
Basic Security Audit Checklist
Server Level
| Check | Tool | Expected Result | |-------|------|----------------| | SSL certificate valid | SSL Labs test | A or A+ rating | | Security headers present | SecurityHeaders.com | All headers configured | | Server software version hidden | Manual check | No version exposed | | Directory listing disabled | Browser test | 403 or redirect | | Backup schedule active | Control panel | Regular backups confirmed |
WordPress Level
| Check | Method | Risk if Failed | |-------|--------|---------------| | Core version current | WP-CLI or admin panel | Known vulnerabilities | | All plugins updated | WP-CLI scan | Plugin exploits | | Unused plugins removed | Manual review | Larger attack surface | | Admin username not "admin" | Database check | Brute force target | | Login URL changed | Browser test | Bot attack target | | File editing disabled | wp-config.php check | Post-compromise escalation | | Debug mode off | wp-config.php check | Information disclosure |
Email Level
| Check | Tool | Expected Result | |-------|------|----------------| | SPF record | MXToolbox | Pass | | DKIM record | MXToolbox | Pass | | DMARC record | MXToolbox | Policy defined |
Automated Scanning
WPScan
wpscan --url https://clientsite.com --api-token YOUR_TOKEN
WPScan checks for:
- Known WordPress vulnerabilities
- Outdated plugins with CVEs
- Weak passwords (optional brute force check)
- Exposed sensitive files
ClamAV
clamscan -r /home/client/public_html/
Scans for known malware signatures in uploaded files.
Presenting the Audit
Report Template
# Security Audit Report
## Client: [Name]
## Date: [Date]
### Executive Summary
Your website has [X] critical, [Y] moderate, and [Z] low-risk findings.
### Critical Findings
1. [Finding] - [Risk] - [Recommendation]
### Moderate Findings
1. [Finding] - [Risk] - [Recommendation]
### Low-Risk Findings
1. [Finding] - [Risk] - [Recommendation]
### Recommendations
1. Immediate: [Actions needed now]
2. Short-term: [Actions within 30 days]
3. Ongoing: [Recurring security practices]
Upselling from Audits
| Finding | Upsell | |---------|--------| | No backups | Backup add-on | | Outdated WordPress | Managed WordPress plan | | No malware scanning | Security scanning add-on | | Weak SSL | Premium SSL certificate | | No staging | Staging environment add-on |
The audit naturally leads to service recommendations. You're not selling, you're advising based on evidence.
Pricing Security Audits
| Approach | Price | Target | |----------|-------|--------| | Free with premium plan | $0 | Retention tool | | Standalone service | $50-150/audit | Revenue generator | | Monthly scanning subscription | $10-25/month | Recurring revenue |
Free audits for existing clients are the best retention tool. Paid audits for new prospects convert into hosting sales.
Scheduling
| Audit Type | Frequency | Scope | |-----------|-----------|-------| | Automated scan | Weekly | Known vulnerabilities | | Manual review | Quarterly | Full security posture | | Incident response | As needed | Post-breach analysis |
Running automated scans on Space-Node's reseller hosting is straightforward. Server-side tools are available, and the infrastructure includes security features that give your audits a solid foundation.
