The two most common website security vulnerabilities we see all the time
Since we've been beta-testing our website auditor, we've reviewed enough sites to have a good handle on the common security vulnerabilities that plagues the web. There are two main topical issues that are almost a certainty for new audits, even though they're easy fixes.
Very rarely do site administrators properly configure, or configure at all, their HTTP security headers. These are instructions sent by the website to the visitor's browser telling it what it can and can't do by enforcing restrictions, making connections tighter and secure, thereby narrowing the attack surface.
Security headers are very easy to configure and low hanging fruit for improving security posture. The Open Web Application Security Project sets guidelines for best security practice that every website should adopt, including security headers policy.
Neglecting something as basic and minimal as security headers sends a message to both web visitor and cybercriminal. This bad practice tells the visitor that the website cares very little about their privacy and data protection, and cues criminals that common exploits are plentiful.
It's the equivalent of seeing messy bathrooms and dirty eating area at a restaurant. If it's that bad in front of the customer, imagine how bad the kitchen must be.
We recommend you check with your site administrator about these two issues to reduce exposure to your visitors. We're more than happy to confirm.
These are by no means the only common security issues of the hundreds we've analyzed, but we say the number of sites with these two combined issues is close to 99%.