small-site-security-hygiene-packet.md

# Small Site Security Hygiene Packet

## What this is

A public-only website security hygiene packet for small business sites, agencies, freelancers, and operators who need a fast first pass before deeper technical work.

It is built for WordPress, Shopify, Webflow, custom landing pages, lead-gen sites, forms, checkout-adjacent pages, booking flows, and older business sites where ownership is split between a founder, agency, host, plugin stack, and support team.

## What this is not

This is not surprise hacking, exploit work, penetration testing, pressure sales, or a vulnerability threat.

No login, brute force, fuzzing, private-data access, admin probing, rate-limit stress, payment testing, credential guessing, bypass attempt, or production-state change is included without written authorization and a clear scope.

## Public-only checks

The first-pass packet can review visible public signals:

- HTTPS, certificate, and mixed-content symptoms.
- Basic public security headers from normal browser or HTTP metadata.
- Public `security.txt` or responsible disclosure route.
- Visible platform, plugin, theme, or builder clues.
- Broken public forms, obvious public debug text, stale pages, or public repo/document leakage found through normal browsing/search.
- Ownership and handoff gaps between site owner, agency, host, plugin vendor, and support route.

## Output

The packet returns:

- one-page executive summary;
- risk/action table with public-only evidence;
- priority fixes;
- questions for the site owner, developer, agency, or host;
- optional implementation or handoff scope after permission.

## Pricing shape

Starting range:

- `USD 49-99` for passive public triage.
- `USD 149-299` for owner-authorized deeper check.

The exact scope depends on site size, business risk, and whether the owner authorizes deeper non-destructive checks.

## Good fit

This is useful when:

- the site handles leads, bookings, checkout, paid traffic, client trust, or important forms;
- the owner is unsure who owns fixes between agency, host, plugins, and internal staff;
- a freelancer or agency wants a cheap first-pass risk/action map before quoting bigger work;
- someone needs practical next actions instead of a long generic security report.

## Bad fit

This is not a fit when:

- there is no owner or permission path;
- the buyer wants exploit proof before authorizing scope;
- the only path is unauthorized testing;
- there is no business value or follow-up owner.

## Safe request

Useful starting message:

> I can do a small public-only security hygiene packet for the site: no login, no probing, no exploit work. You get a short list of visible risk signals, likely fixes, and the right questions for your host/dev.

## Handoff format

For each item:

| Priority | Public signal | Why it matters | Suggested next step | Owner question |
| --- | --- | --- | --- | --- |
| P1/P2/P3 | visible signal only | business-language risk | practical fix path | what needs confirmation |

No secrets, private data, credentials, cookies, tokens, or personal data should be included in the packet.