Offering security audits positions you as an expert, not just a hosting provider. It builds trust, upsells security add-ons, and prevents incidents that create expensive emergency support tickets.
Basic Security Audit Checklist
Server Level
| Check | Tool | Expected Result |
|---|---|---|
| SSL certificate valid | SSL Labs test | A or A+ rating |
| Security headers present | SecurityHeaders.com | All headers configured |
| Server software version hidden | Manual check | No version exposed |
| Directory listing disabled | Browser test | 403 or redirect |
| Backup schedule active | Control panel | Regular backups confirmed |
WordPress Level
| Check | Method | Risk if Failed |
|---|---|---|
| Core version current | WP-CLI or admin panel | Known vulnerabilities |
| All plugins updated | WP-CLI scan | Plugin exploits |
| Unused plugins removed | Manual review | Larger attack surface |
| Admin username not "admin" | Database check | Brute force target |
| Login URL changed | Browser test | Bot attack target |
| File editing disabled | wp-config.php check | Post-compromise escalation |
| Debug mode off | wp-config.php check | Information disclosure |
Email Level
| Check | Tool | Expected Result |
|---|---|---|
| SPF record | MXToolbox | Pass |
| DKIM record | MXToolbox | Pass |
| DMARC record | MXToolbox | Policy defined |
Automated Scanning
WPScan
wpscan --url https://clientsite.com --api-token YOUR_TOKEN
WPScan checks for:
- Known WordPress vulnerabilities
- Outdated plugins with CVEs
- Weak passwords (optional brute force check)
- Exposed sensitive files
ClamAV
clamscan -r /home/client/public_html/
Scans for known malware signatures in uploaded files.
Presenting the Audit
Report Template
# Security Audit Report
## Client: [Name]
## Date: [Date]
### Executive Summary
Your website has [X] critical, [Y] moderate, and [Z] low-risk findings.
### Critical Findings
1. [Finding] - [Risk] - [Recommendation]
### Moderate Findings
1. [Finding] - [Risk] - [Recommendation]
### Low-Risk Findings
1. [Finding] - [Risk] - [Recommendation]
### Recommendations
1. Immediate: [Actions needed now]
2. Short-term: [Actions within 30 days]
3. Ongoing: [Recurring security practices]
Upselling from Audits
| Finding | Upsell |
|---|---|
| No backups | Backup add-on |
| Outdated WordPress | Managed WordPress plan |
| No malware scanning | Security scanning add-on |
| Weak SSL | Premium SSL certificate |
| No staging | Staging environment add-on |
The audit naturally leads to service recommendations. You're not selling, you're advising based on evidence.
Pricing Security Audits
| Approach | Price | Target |
|---|---|---|
| Free with premium plan | $0 | Retention tool |
| Standalone service | $50-150/audit | Revenue generator |
| Monthly scanning subscription | $10-25/month | Recurring revenue |
Free audits for existing clients are the best retention tool. Paid audits for new prospects convert into hosting sales.
Scheduling
| Audit Type | Frequency | Scope |
|---|---|---|
| Automated scan | Weekly | Known vulnerabilities |
| Manual review | Quarterly | Full security posture |
| Incident response | As needed | Post-breach analysis |
Running automated scans on Space-Node's reseller hosting is straightforward. Server-side tools are available, and the infrastructure includes security features that give your audits a solid foundation.
