Website Security Audit: What Gets Checked and What It Costs

9 min read · AstraLoop Studio

If you run a website that generates leads, takes payments, or stores customer data, sooner or later you ask yourself a simple question: how secure is it, really? Most site owners answer by installing a plugin for a few dozen euros a year and calling it done. Then the nasty surprise arrives: a defaced site, redirects to gambling pages, a contact form spewing spam, or worse, customer data ending up who-knows-where.

A security audit is a different animal from a plugin. It's a structured analysis of your site's vulnerabilities, carried out by someone who knows what to look for and how an attacker would actually try it. In this article we break down exactly what gets checked, what it costs in Italy in 2026, and why the gap between an automated scan and a human audit only becomes obvious when you actually need it.

Illustration of a magnifying glass inspecting a website, revealing hidden vulnerabilities behind lock and shield icons.

Why this has become urgent (the numbers don't lie)

This isn't scaremongering. The 2026 Clusit Report shows Italy accounting for roughly 10% of global incidents, with serious attacks up 23% in the first quarter alone and vulnerability exploitation up 65% versus 2024. The figure that should really grab your attention is this one: SMEs make up 72% of the targets. Not multinationals with dedicated IT departments — businesses like yours.

On the WordPress side, which covers a huge slice of Italian business websites, the picture is even more concrete. In 2025, 11,334 new vulnerabilities were discovered, up 42% on the previous year, and 97% of them lived in third-party plugins and themes. Vulnerable sites get scanned and hit by automated botnets every few minutes, with no human ever specifically targeting you. You're simply an IP address with a known hole in it.

A website security audit is one piece of a bigger picture. If you want to understand how it fits into a full-scale protection strategy, start with our IT security audit guide for SMEs, which covers the whole company perimeter, not just the website.

What a website security audit actually checks

A real audit isn't a button you press. It's a sequence of checks, some automatable, most not. Here's what a proper one should cover.

1. Vulnerability assessment (mapping the holes)

This is the most technical phase. CMS, plugins, themes, software versions, and libraries get scanned and cross-checked against databases of known vulnerabilities (CVEs). It answers the question: which doors are open, and which components have documented holes? It's the first layer, the one an automated tool can partly handle on its own. If you want to go deeper, we've written a dedicated piece on what a vulnerability assessment is.

2. Analysis of CMS-specific vulnerabilities

On WordPress, Prestashop, Magento, or headless setups, there are recurring risk patterns: plugins abandoned by their developers, outdated versions, weak credentials, exposed configuration files, wrong folder permissions. A good auditor knows the typical flaws of each platform. For WordPress sites specifically, most of the risk comes from third-party components — we cover this in detail in our article on WordPress plugin vulnerabilities.

3. Server and hosting configuration

Your site can be locked down while the server underneath it isn't. This step checks SSL/TLS certificates, HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options), PHP versions, exposed technical information, automatic backups, and web application firewall (WAF) coverage.

4. Access management and authentication

Who has access to the admin area? With what passwords? Is two-factor authentication in place? Are there inactive accounts, or accounts belonging to former collaborators still active? This is attackers' door of choice, and it's almost always wide open.

5. Targeted penetration testing (where it's warranted)

In more sensitive cases — e-commerce sites, or sites handling sensitive data — the audit goes beyond scanning and attempts a controlled attack: SQL injection, cross-site scripting, login bypass attempts, tampering with carts and payments. This is where the difference between a vulnerability assessment and a penetration test really matters. The first finds the doors; the second tries to open them.

6. Data protection and GDPR compliance

A well-run audit also checks where the data collected through your forms ends up, whether it's encrypted, who can access it, and whether you'd be able to meet the 72-hour notification obligation to the Data Protection Authority in the event of a breach. Because a site flaw that exposes customer data isn't just a technical problem — it's a data breach under GDPR, with legal and financial consequences.

Illustration contrasting an automated scanner pressing a button with a human analyst checking the doors and windows of a building.

Human audit vs. automated plugin: the real difference

This is the part almost nobody explains clearly. An automated scan — the security plugin, or free online tools — does exactly one thing well: it compares your installed versions against a list of known vulnerabilities. Genuinely useful, but limited to whatever is already catalogued.

What a tool doesn't do:

  • It doesn't understand context. A quote-request form that accepts attachments is a different risk on a brochure site than on one handling health data. The tool flags everything the same way, or doesn't flag it at all.
  • It doesn't chain vulnerabilities together. Real breaches almost never exploit a single flaw. They use a chain of small defects that look harmless individually. Only a human sees the chain.
  • It doesn't test business logic. A cart that lets you apply the same coupon multiple times, or that lets you tamper with the price client-side, is a logic flaw invisible to any scanner.
  • It generates false positives and false negatives. It buries you in irrelevant alerts while staying silent on what actually matters, leaving you with a false sense of protection.

The most honest metaphor is this: the automated plugin is the alarm that goes off. The human audit is the consultant who walks around the house, tries the windows, checks whether the key is under the doormat, and tells you exactly which door you'd otherwise leave open without realizing it.

What a website security audit costs in Italy

Prices vary a lot depending on depth and site complexity. Here are realistic ranges for the Italian market in 2026.

Type of engagementWhat's includedPrice range
Automated scan + reportKnown-vulnerability scan, basic report, no interpretation€0 - €300
Basic audit for a brochure siteVulnerability assessment, server config, access review, prioritized report€500 - €1,500
Full WordPress/CMS auditPlugin/theme analysis, hardening, GDPR, guided remediation€1,200 - €3,500
E-commerce audit with pen testManual testing on payments, cart, login, customer data€3,000 - €8,000+
WordPress hardening (audit + fix)Audit + corrective work + full hardening€1,500 - €5,000

Watch out for two extremes. Below €300 you're rarely buying a real audit: you're buying a tool-generated report, often indistinguishable from what you'd get for free. At the opposite end, an "all-inclusive for life" package at huge numbers always needs scrutiny. What does the remediation actually cover? Is there ongoing monitoring, or is it a one-off job?

The cost of an audit should always be weighed against the cost of skipping it. For an SME, the average cost of a ransomware incident or data breach runs between €35,000 and €250,000, once you factor in downtime, recovery, notifications, and reputational damage. Seen that way, a €2,000 audit is insurance, not an expense. We've run the numbers in detail in our article on the real cost of a data breach and the ROI of prevention.

Want to know how exposed your website really is, before finding out the hard way? Request a targeted security assessment: we'll tell you what to fix and in what order.

What drives the price (and how to get a sensible quote)

If you ask three providers for a quote and get three different numbers, that's normal — it depends on concrete variables. Here are the ones that actually move the needle.

  • Site complexity. A 5-page brochure site and a 2,000-product e-commerce store with a members' area and payments are worlds apart.
  • Depth of testing. Vulnerability assessment only, or manual penetration testing too? The latter requires qualified hours and is the line item that weighs the most.
  • Data handled. If you process sensitive data (health, banking), the audit needs to cover compliance too, which widens the scope.
  • Remediation included or not. Finding the flaws is one thing, fixing them is another. Clarify whether the price covers just the report or the corrective work too.
  • Follow-up and retesting. A serious audit includes a retest after fixes are applied, to confirm they're actually closed. Ask whether it's included.

A practical tip when comparing quotes: ask for a sample anonymized report. If the provider shows you a PDF rich in context, risk prioritization, and operational guidance, you're talking to someone who runs human audits. If they hand you the raw output of a tool, you know exactly what you're buying. On how a quote like this gets put together, you can also look at how penetration test pricing works.

The link to cyber insurance

There's one thing almost no provider tells you: more and more cyber insurance policies now require, to stay valid or to avoid a higher premium, proof of minimum security measures and often a periodic audit. If you take out a policy and then suffer a breach caused by a known, unaddressed vulnerability, the insurer can contest the payout. In practice, the audit isn't just there to prevent the attack. It also makes your site — and your business — insurable on reasonable terms. It's a calculation worth making upfront, not after the fact.

When it makes sense to audit your website

You don't need to do it every month, but there are clear moments when it's warranted.

  • You run an e-commerce site or one that collects payments and customer data.
  • You haven't updated the site in months, or you don't know who's updating it.
  • You've already had an incident, even a small one: spam from your forms, odd redirects, suspicious slowdowns.
  • You're about to take out a cyber insurance policy, or you work with clients who require one.
  • You've switched agency or developer and don't know what state things were left in.

If your site has already been compromised, the audit comes afterward — clean-up comes first. In that case, start with our guide on what to do when a WordPress site gets hacked.

In short

A security plugin is a decent first layer, but it's not an audit. A real security audit costs between €500 and several thousand euros in Italy, depending on complexity and depth, and the difference is made by the human eye that reads context, chains flaws together, and tells you what to fix first. Weighed against the cost of a real incident, it's one of the highest-return investments you can make to protect the work behind your website.

Frequently asked questions

How much does a website security audit cost in Italy?

It depends on the depth. A basic audit for a brochure site starts at €500-1,500, a full audit on WordPress or another CMS runs €1,200-3,500, while an e-commerce site with manual penetration testing can exceed €8,000. Below €300 you're usually only buying an automated scan, not a real audit.

Isn't a WordPress security plugin enough instead of an audit?

No. A plugin blocks known threats and provides a basic barrier — useful, but limited. It doesn't understand your site's context, doesn't chain vulnerabilities together, and doesn't test business logic (carts, coupons, payments). A human audit finds exactly what the plugin misses, which is often what matters most.

How much does it cost to secure a WordPress site?

Hardening, which includes an audit plus corrective work and full hardening, typically runs from €1,500 to €5,000. The price depends on how many vulnerabilities are found, how many plugins and themes need fixing, and whether the site has already been compromised.

How often should a website audit be redone?

For a stable brochure site, once a year or after major changes may be enough. For an e-commerce site or one handling sensitive data, an annual audit plus periodic checks is advisable — partly because many cyber insurance policies require it to stay valid.

What's the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment scans and maps known flaws — it finds the doors. A penetration test actually tries to exploit them by simulating a real attack — it opens the doors. The first is cheaper and broader, the second more expensive and targeted. A serious e-commerce site needs both.

Is a website audit relevant for GDPR too?

Yes. If your site collects data through forms, a members' area, or payments, a flaw that exposes that data is a data breach in every sense, with a 72-hour notification obligation to the Data Protection Authority. A well-run audit checks where the data ends up, whether it's encrypted, and who can access it, covering the compliance side too.

If you want a clear quote for a security audit of your site, no vague bundles, let's talk. We'll work out together the level of scrutiny you actually need.