Biz Secure Online
Register
← Back to Guides
Understanding Your Report

How We Calculate Your Security Score

Every website scanned by Biz Secure Online receives a Security Score between 1 and 100. This score gives you a clear, at-a-glance picture of how well your website is protected against known threats. Here's how we arrive at that number.

Starting Point: A Perfect 100

Every scan begins with a perfect score of 100. Think of it as a clean bill of health. From there, our scanning engine examines your website across several key areas and deducts points for each security weakness it finds. The fewer issues discovered, the closer your score stays to 100.

What We Examine

1. Vulnerability Scanning

Our engine scans your website for known security vulnerabilities — the kind that attackers actively look for and exploit. Not all vulnerabilities are created equal, so we weight them by severity:

  • Critical vulnerabilities carry the heaviest penalty. These are serious flaws that could allow an attacker to take control of your website, steal data, or cause significant damage.
  • High severity vulnerabilities are significant risks that need prompt attention. They may not be as immediately dangerous as critical issues, but they represent clear security gaps.
  • Medium severity vulnerabilities are moderate risks that typically require specific conditions to exploit but still represent weaknesses in your defences.
  • Low severity vulnerabilities are minor issues that don't pose an immediate threat on their own, but addressing them contributes to a stronger overall security posture.

2. Security Headers

Security headers are instructions your website sends to visitors' browsers, telling them how to behave securely. They protect against common attacks like cross-site scripting, clickjacking, and data injection.

This assessment accounts for roughly 30% of your overall score, reflecting just how important these invisible but powerful protections are. We check for six critical headers:

  • Strict-Transport-Security (HSTS) — Forces encrypted connections
  • Content-Security-Policy (CSP) — Controls which resources can load
  • X-Frame-Options — Prevents clickjacking attacks
  • X-Content-Type-Options — Stops MIME-type sniffing
  • Referrer-Policy — Controls referrer information sharing
  • Permissions-Policy — Restricts browser feature access

3. Open Ports and Exposed Services

Every website runs on a server, and that server has network ports — digital doorways that allow different types of traffic in and out. Some ports are expected and necessary (like the ones that serve your web pages), but others can be dangerous if left open.

Our scan checks for high-risk open ports — things like exposed database connections or remote access services that should never be publicly accessible. Each high-risk port discovered results in a significant score deduction, because these are the kinds of entry points attackers look for first.

4. WordPress-Specific Analysis

If your website runs on WordPress (which powers over 40% of all websites), we run additional checks specifically designed for the platform. WordPress sites can be vulnerable to attacks through outdated plugins, themes, and core software.

Each WordPress-specific vulnerability found results in an additional score deduction, reflecting the added risk that comes with running outdated or insecure WordPress components.

5. WAF and Bot Protection Detection

Many well-secured websites use Web Application Firewalls (WAFs) or bot protection services — such as SiteGround, Cloudflare, Sucuri, and others — that can block automated scanners from seeing the real site. Without special handling, this would result in our scanner evaluating a CAPTCHA challenge page instead of your actual security headers, unfairly lowering your score.

Our scanner automatically detects when a WAF or bot protection service is active. When detected, it retries the request using a headless Firefox browser to get past the challenge. If the protection still blocks access, the scanner switches to advisory mode: your header findings are still shown in the report so you can review them, but they are clearly marked as unverified and carry zero score impact.

This ensures that sites with strong bot protection are never punished for having good security practices in place.

How the Final Score is Determined

After examining all of these areas, we combine the results into a single score:

  1. We start with the vulnerability deductions based on severity
  2. We blend in your security header assessment, which carries significant weight in the final calculation
  3. We apply additional deductions for any WordPress-specific issues found
  4. We apply additional deductions for any high-risk open ports detected
  5. The final score is clamped between 1 and 100

The result is a single number that reflects the overall security health of your website.

What Your Score Means

  • 85–100 (Strong) — Your website has solid security foundations. Keep monitoring regularly to maintain this standard.
  • 60–84 (Moderate) — There are areas for improvement. Review the detailed findings in your report and address the higher-severity issues first.
  • 1–59 (Weak) — Your website has significant security gaps that need urgent attention. Prioritise the critical and high-severity findings in your report.

Why Regular Scanning Matters

Security is not a one-time exercise. New vulnerabilities are discovered every day, software updates change your risk profile, and the threat landscape is constantly evolving. Regular scanning ensures your Security Score reflects the current state of your website — not what it looked like weeks or months ago.

With Biz Secure Online, you can schedule automated scans on a daily, weekly, or monthly basis so you always have an up-to-date view of your security posture — and you'll be notified by email the moment a scan completes.

See how exposed your website is — in under 2 minutes.

Start Free ScanMore Guides