This website vulnerability assessment FAQ is a list of frequently asked questions we often hear from clients, plus answers from the FireOak Strategies team.
If your question isn’t on this list, let us know. We periodically update this page with new questions and answers.
What is a website vulnerability assessment?
A FireOak website vulnerability assessment is a hands-on assessment of a website from a security perspective. We fully examine all of the components of your website from the inside out. From this point of view, we can get a complete view of the entire ecosystem related to your site, including how other systems might be impacting your site’s security. This type of review is sometimes referred to as a “white box” assessment.
What’s the difference between a penetration test and a vulnerability assessment?
“Penetration tests” and “vulnerability assessments” are phrases that are often used interchangeably, but they are quite different things. Read our full explanation of the difference between the two, when to conduct each type of assessment, and which might be the best fit for your organization. (Spoiler: it’s likely a vulnerability assessment!)
What platforms do you assess in website vulnerability assessments?
FireOak is able to conduct a website vulnerability assessment for nearly any website. Most of our clients are using WordPress, but we’ve conducted website vulnerability assessments for clients using other content management systems including Squarespace, Wix, Drupal, Kraft, and others. We’ve also conducted several vulnerability assessments for clients that have entirely custom-developed websites using a wide range of programming languages, tools, and platforms.
How long does it take to conduct a website vulnerability assessment?
For a WordPress site, it usually takes 4-6 weeks once we begin work. Sites with other types of content management systems might be faster or slower, depending on the details. Fully custom developed sites typically 6-8 weeks or longer, depending on their complexity, once we begin work.
Our organization doesn’t have a dedicated IT team. Will we be able to understand your recommendations?
Many of the small businesses and small non-profit organizations that we work with don’t have a dedicated IT team. We pride ourselves on writing reports that are understandable by staff who aren’t technology specialists. At the end of the engagement, we’ll review our recommendations with you and answer any questions you have.
Why do you need administrative credentials to our hosting provider’s portal?
FireOak conducts “white box” vulnerability assessments so we can get a complete view of the entire ecosystem related to your website. From this point of view, we can fully examine all of the components of your website, and we can identify other systems that might be impacting your site’s security. This approach allows us to give you the most comprehensive assessment of your site’s security.
Do we need to stop work on our website while FireOak is conducting this website vulnerability assessment?
No. Your team is welcome to continue adding new content (blog posts, pages, images, etc.) and handling any typical day-to-day management and operations of the site. If you are about to undertake any large-scale changes to the infrastructure, please let us know in advance.
If we’re getting ready to do a big overhaul of our website, should we wait until after that to do a website vulnerability assessment?
It depends. If you’re going to use the same hosting provider and content management platform as part of your planned updates, it can be helpful to conduct an assessment before work gets underway so you can incorporate our recommendations into the next iteration of the site. However, if you’re going to move to a different CMS or substantially change the back-end infrastructure, it might make sense to wait until after the new system is in place. Let us know what you’re planning, and we can offer some suggestions regarding timing.
I work for a nonprofit organization, we don’t have a huge budget. What do most of your remediation recommendations cost to implement?
Many of our clients are nonprofits and small businesses without a large budget for website development. Many of our recommendations cost nothing to implement — they’re configuration changes or other things you can do using your existing infrastructure. Other changes might have indirect costs (such as time) to implement.
As much as possible, we tailor our recommendations to be appropriate for your organization, depending on its risk factors, size, traffic, etc.
All of our clients have been able to implement most, if not all, of our recommendations with a limited budget.
Our organization has multiple websites. How should we proceed?
Let us know which website(s). If they’re all hosted by the same hosting provider, we can likely assess multiple sites at the same time. If they’re on different platforms and/or use different hosting providers, let us know and we can discuss if it makes sense to conduct a website vulnerability assessment for one website at a time or approach the assessments as a bundle.
What’s the price of a website vulnerability assessment?
It depends on the platform, complexity, and more. We offer discounts for non-profit organizations, small businesses, and for certain types of website vulnerability assessments. Contact us for more details.
Have more questions about a website vulnerability assessment?
Reach out to the FireOak team via chat or email. We’re happy to answer your questions. Or check back — we update this website vulnerability assessment periodically with new questions.