When you run your website through a scanner like FunSentry, Mozilla Observatory, or SecurityHeaders.com, you are often presented with a grade ranging from A+ to F.
Seeing a bright red “F” can be panic-inducing. Does it mean you are hacked? Does it mean your site is broken?
Not necessarily. A security score is like a credit score for your website. It doesn’t tell you if you have money in the bank right now, but it tells the world how risky you are to deal with.
In this guide, we will demystify what these scores actually measure, why they matter for your SEO and user trust, and exactly how to turn that “F” into an “A”.
What is a Website Security Score?
A security score is an aggregate metric calculated by analyzing the publicly visible security configurations of your server.
Scanners do not look at your backend code or log into your dashboard. Instead, they look at the “handshake” your server makes with a browser. They ask:
- Is the connection encrypted? (SSL/TLS)
- Are the defense instructions clear? (HTTP Headers)
- Is the software outdated? (Version Exposure)
- Is the site on any blacklists? (Malware Reputation)
The Grading Scale
- Grade A: Exceptional. You are using modern encryption, forcing HTTPS, and have strict security headers (HSTS, CSP) enabled.
- Grade B/C: Average. You have an SSL certificate, but you might be missing critical headers or allowing older TLS protocols.
- Grade D/F: High Risk. You might be supporting unencrypted HTTP connections, exposing software versions, or missing basic protections against Clickjacking or XSS.
Why Does Your Score Matter?
You might think, “My site works fine, why do I care about a letter grade?”
1. SEO Ranking
Search engines like Google prioritize secure websites. A low score often correlates with missing SSL or slow, legacy protocols, which are negative ranking signals.
2. Browser Warnings
Modern browsers (Chrome, Safari, Edge) use these same metrics to decide whether to warn a user. If your score is low due to mixed content or expired certificates, visitors will see a “Not Secure” warning before they even see your content.
3. Attack Surface
A low score indicates “low hanging fruit.” Hackers use automated scanners to find sites with low scores because they are easier targets for mass attacks.
How to Improve Your Security Score (Step-by-Step)
Improving your score isn’t just about chasing a grade; it’s about closing actual security holes. Here are the 5 most effective ways to boost your rating.
1. Force HTTPS (The Biggest Impact)
Just having an SSL certificate isn’t enough. You must force all traffic to use it. If a scanner can access http://yoursite.com without being redirected to https://, your score will tank.
The Fix:
Add a 301 Redirect in your .htaccess file:
Apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
2. Add Security Headers
This is where most WordPress sites fail. “HTTP Headers” are instructions your server sends to the browser to tell it how to behave. By default, Apache and Nginx send almost none.
You need to add these:
- X-Frame-Options: Prevents “Clickjacking” (people embedding your site in a hidden iframe).
- X-Content-Type-Options: Prevents MIME-sniffing attacks.
- Referrer-Policy: Controls how much data is sent when users click links on your site.
- Strict-Transport-Security (HSTS): Forces browsers to always use HTTPS.
The Fix (Add to .htaccess):
Apache
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
3. Hide Server Information (Server Signature)
By default, your server proudly announces exactly what software it is running (e.g., Server: Apache/2.4.41 (Ubuntu)). This helps hackers find specific exploits for your version.
The Fix:
You want to reduce this to just Server: Apache or remove it entirely.
- For Apache: Add
ServerTokens ProdandServerSignature Offto your main config. - For WordPress: Hide the WordPress version generator meta tag.
Add this to your theme’s functions.php:
PHP
remove_action('wp_head', 'wp_generator');
4. Implement a Content Security Policy (CSP)
This is the “Boss Level” of security scores. A CSP prevents Cross-Site Scripting (XSS) by whitelisting where scripts can load from. Implementing this correctly often pushes a “B” grade to an “A+”.
(Check our detailed guide on CSP for the exact code).
5. Fix “Mixed Content”
If your site loads over HTTPS but your logo or a background image loads over HTTP, scanners will penalize you heavily.
The Fix:
Use a plugin like Better Search Replace to find http://yoursite.com in your database and replace it with https://yoursite.com.
Case Study: From F to A
Let’s look at a typical WordPress scenario.
Initial Scan (Grade F):
- SSL is installed but doesn’t force HTTPS.
- Server headers reveal “Apache 2.4.29” and “PHP 7.2”.
- No X-Frame protection.
After Improvements (Grade A):
- Action: Added 301 Redirect to HTTPS.
- Result: Grade moved to C.
- Action: Added
X-Frame-OptionsandX-Content-Type-Options.- Result: Grade moved to B.
- Action: Enabled HSTS (Strict Transport Security).
- Result: Grade moved to A.
Summary Checklist
| Action | Difficulty | Impact on Score |
| Force HTTPS | Easy | ⭐⭐⭐⭐⭐ (Critical) |
| HSTS Header | Easy | ⭐⭐⭐⭐⭐ (Critical) |
| X-Frame-Options | Easy | ⭐⭐⭐⭐ (High) |
| Hide WP Version | Easy | ⭐⭐⭐ (Medium) |
| Content Security Policy | Hard | ⭐⭐⭐ (Bonus) |
What is your site’s score?
Don’t guess. Run a free scan at FunSentry right now. We will give you a letter grade and, more importantly, a plain-English checklist of exactly which headers you are missing and how to fix them.