AvdB
Security & Protection
Confidential
Website Hardening Review
Client Name Ltd.
https://www.example.com
Report Number
WHR-2026-010
Date
11 May 2026
Prepared By
Alwin van der Bildt · AvdB Security
Test Period
[Start date] – [End date]
AvdB Security & Protection
contact@avdb-security.nl · avdb-security.nl
WHR
01

Executive Summary

Client Name Ltd.
Website Hardening Review

At the request of [Client Name], AvdB Security & Protection performed a Website Hardening Review of https://www.example.com. The review focuses on the public attack surface: what an external attacker can see, what they would typically try first, and which measures reduce exposure within a short remediation window.

This review combines passive reconnaissance, light active checks, security header and cookie analysis, TLS inspection, file and directory exposure tests, CMS/WordPress hardening checks, and safe validation of potential risk indicators. No destructive activity was performed.

Key value for your organisation: You know exactly what an attacker would see when targeting your website — and you receive a practical priority list to close the most important gaps within 1–2 weeks.

0Critical
1High
1Medium
0Low
0Info
AvdB SecurityConfidential · Page 2
02

Scope & Engagement Rules

Client Name Ltd.
Website Hardening Review

In Scope

  • Publicly reachable website pages and endpoints
  • DNS, email security records (SPF, DKIM, DMARC)
  • TLS and certificate configuration
  • Security headers, cookies, redirects, mixed content
  • File, directory, backup, configuration exposure
  • CMS/WordPress surface (plugins, themes, REST API)
  • Authentication basics and access control (without brute force)

Explicitly Out of Scope

  • No exploitation of vulnerabilities
  • No authenticated testing unless agreed separately
  • No RCE, SQLi or XSS payload testing
  • No brute-force or credential attacks
  • No Denial-of-Service testing
  • No social engineering or physical access testing
Important: This report is a security snapshot based on what was visible and safely testable during the review window. Deeper application-level testing (exploitation, authenticated role testing, business logic) requires a separate Web Application Security Test.
AvdB SecurityConfidential · Page 3
03

Methodology – Recon & Exposure

Client Name Ltd.
Website Hardening Review

Step 1 – Passive recon

  • crt.sh, Wayback Machine, Google dorks
  • Subdomain enumeration (passive only)
  • DNS records: A, AAAA, MX, TXT, SPF, DKIM, DMARC

Step 2 – Light active recon

  • nmap -sV on web ports (80,443,8080,8443)
  • Technology fingerprinting (server, framework, CMS)
  • Directory enumeration (medium wordlist, low threads)

Step 3 – Headers & cookies

  • Analyse response headers (CSP, HSTS, X-Frame-Options)
  • Check cookie flags (Secure, HttpOnly, SameSite)
  • HSTS preload status

Step 4 – TLS deep dive

  • testssl.sh full analysis
  • Certificate transparency & cipher suites
  • Mixed content check on all pages

Step 5 – File & directory exposure

  • Extensive gobuster with larger wordlist
  • Check .git/, backups, configs, logs, IDE files
  • Inspect JS bundles (API keys, source maps)
  • Upload directories & metadata (exiftool)

Step 6 – Authentication basics

  • Rate limiting observation (no brute force)
  • Forgot password flow – user enumeration?
  • User enumeration via WP REST API, ?author=, error messages
  • Default admin paths reachability

Step 7 – WordPress / CMS deep dive

  • WPScan (passive enumeration)
  • Plugin & theme CVE check
  • xmlrpc.php, REST API, debug mode, file editor
  • wp-config.php hardening recommendations

Step 8 – Misconfigurations

  • CORS testing (passive curl)
  • Open redirect identification (no exploitation)
  • Verbose errors via ?id=test' – observe response
  • Server-status, server-info exposure

Step 9 – Light validation (safe)

  • Identify reflected parameters (signal, not exploit)
  • IDOR risk indicators (?user=123) – signal only
  • Forms without CSRF tokens – signal
  • Report as “attention points for follow-up testing”

Step 10 – Reporting & roadmap

  • 8–15 pages with executive summary
  • Findings per severity (Critical/High/Medium/Low/Info)
  • Remediation roadmap: “fix this first, then this”
  • Actionable, prioritised hardening steps
AvdB SecurityConfidential · Page 4
04

Findings – Detailed Analysis

Client Name Ltd.
Website Hardening Review
F-01
New finding
High
Affected Component
Screenshot / Evidence
Screenshot area / evidence reference
Description
Business Impact
Recommendation
Implement hardening according to best practices.
References
F-02
New finding
Medium
Affected Component
Screenshot / Evidence
Screenshot area / evidence reference
Description
Business Impact
Recommendation
Implement hardening according to best practices.
References
AvdB SecurityConfidential · Page 5
05

Action Plan – What to Do?

Client Name Ltd.
Website Hardening Review
Remediation tasks per finding
F-01 New finding High
📌 What to do? / Recommendation
Please add a recommendation in the finding detail page.
F-02 New finding Medium
📌 What to do? / Recommendation
Please add a recommendation in the finding detail page.
AvdB SecurityConfidential · Page 6
06

Findings Overview Table

Client Name Ltd.
Website Hardening Review
IDSeverityTitleAffected ComponentStatus
F-01HighNew findingOpen
F-02MediumNew findingOpen
AvdB SecurityConfidential · Page 7
07

Follow-up & Closing

Client Name Ltd.
Website Hardening Review

After implementing the recommended hardening steps, AvdB recommends a short re-test to verify that the highest-priority findings have been closed. For findings that were reported as “attention points” (potential SQLi, XSS, IDOR, etc.), deeper application testing should be performed under a separate Web Application Security Test engagement.

Disclaimer

This report was prepared based on a limited Website Hardening Review of the agreed scope and review period. Findings are based on information available at the time of testing. Security conditions can change after delivery due to new vulnerabilities, configuration changes, software updates or infrastructure changes.

AvdB Security & Protection does not guarantee that all vulnerabilities have been identified. This review is intended to reduce public attack surface exposure and does not replace continuous monitoring, secure development practices or a full penetration testing programme.

No exploitation was performed. No destructive payloads were used. No data was changed, removed or exfiltrated. Where this report identifies potential SQLi, XSS, IDOR or similar risk indicators, these are reported as attention points for follow-up validation, not as confirmed exploitable vulnerabilities unless explicitly stated otherwise.

This report is strictly confidential and intended only for the client named in this document. Distribution to third parties requires written permission from AvdB Security & Protection.

Prepared By
Alwin van der Bildt
Delivery Date
11 May 2026
Version
1.0 – Final
AvdB Security & Protection · avdb-security.nlConfidential · Final Page