Your WebPulse risk score is a measure of how many risk signals your website is currently triggering. A score of 0 means no detectable risk signals. A score of 100 means the site is triggering every major signal in the system. Most legitimate websites fall in the 0–40 range, with the lowest scores going to sites that have thoughtfully addressed every major signal category.

This guide walks through each major risk signal, how much it contributes to the score, and exactly what to do to address it — in priority order from highest to lowest impact.

How the Score Is Calculated

The WebPulse risk score combines two independent layers:

The rule engine — a deterministic scoring layer that checks specific technical signals: HTTPS, privacy policy, contact information, security headers, domain age, threat database status, and others. Each signal has a fixed point value, and the rule engine score is the sum of triggered signals.

The AI analysis layer — for Pro and Premium users, an AI model analyzes the content and context of the site, looking for signals that rules can't catch: manipulation language, false urgency, implausible claims, identity inconsistencies. The AI layer can add or reduce risk points based on content assessment.

For improving your score, you have direct control over the rule engine signals. They're deterministic and fixable. The AI layer responds to genuine content quality — there's no shortcut for it.

Priority 1: HTTPS / SSL (10 points)

The single highest-impact missing signal. A site without HTTPS adds 10 points to its risk score immediately.

What to do: Install an SSL certificate. Let's Encrypt provides free certificates valid for 90 days that auto-renew. Every major hosting provider offers Let's Encrypt integration — typically a one-click setup in the control panel.

If your site is on a managed platform (Shopify, Squarespace, Webflow), HTTPS is typically automatic and included. If you're self-hosting, check your hosting provider's control panel for SSL certificate management.

After installing SSL, verify that all pages load correctly over HTTPS and that there are no "mixed content" warnings (resources loading over HTTP on HTTPS pages). Mixed content appears in browser developer tools and should be resolved by updating hardcoded HTTP URLs to HTTPS.

Priority 2: Contact Information (8 points)

Missing or unverifiable contact information adds 8 points. The rule engine looks for a dedicated contact page with at least one verifiable contact method: an email address on the site's own domain, a phone number, or a physical address.

What to do: Create or improve your contact page. At minimum, include:

  • An email address using your site's domain (not a free Gmail address)
  • A contact form that demonstrably routes to a real person
  • Optionally: phone number, physical address, or business hours

For business contact emails, use `contact@yourdomain.com` or similar. Free email addresses (Gmail, Yahoo, Hotmail) on a business site are a weak trust signal. Most domain registrars and hosting providers include domain email as part of their packages.

Priority 3: Privacy Policy (6 points)

A missing privacy policy adds 6 points. A privacy policy is also legally required in most jurisdictions for sites that collect any personal data (which includes website visitor data collected by Google Analytics, for instance).

What to do: Add a substantive privacy policy that specifically addresses your actual data collection practices. Generic privacy policy templates that don't mention your specific tools and practices are better than nothing, but a policy that accurately reflects what you actually do is both more legally protective and scores better in the AI analysis layer.

Key sections your privacy policy should include:

  • What data you collect (forms, analytics, cookies)
  • Why you collect it (what purposes it serves)
  • How long you retain it
  • Who you share it with (including analytics providers, email marketing platforms)
  • How users can request data deletion or access

The privacy policy should be linked from the site footer and from any data collection points (forms, checkout pages, account creation).

Priority 4: About Page (5 points)

Missing or extremely thin about page content adds 5 points. The rule engine checks for an about page; the AI layer considers whether the about page contains substantive, credible information about who operates the site.

What to do: Create or significantly improve your about page. A substantive about page includes:

  • Who operates the site (individual or organization)
  • What the site's purpose is and who it serves
  • Background information about the operator (professional history, qualifications, why they're credible on the topic)
  • For businesses: company founding, team members, and mission

Named individuals with verifiable LinkedIn profiles or other external presence are a strong positive signal. An about page that's entirely anonymous, or that uses stock photos for "team members," scores negatively in the AI layer regardless of length.

Priority 5: Terms of Service (4 points)

A missing terms of service adds 4 points. For sites with user accounts, purchases, or content creation, terms of service are also a legal necessity.

What to do: Add a terms of service that covers your actual service. The terms should specify:

  • What users can and cannot do on the site
  • Payment terms if applicable (refund policy, subscription cancellation)
  • Limitation of liability and disclaimers appropriate to your service type
  • How disputes are handled

Link the terms from your footer, from account creation flows, and from checkout pages.

Priority 6: Security Headers (3–5 points combined)

Missing security headers collectively contribute several points. The specific headers checked are:

  • `X-Content-Type-Options: nosniff` — prevents MIME type sniffing attacks
  • `X-Frame-Options` — prevents clickjacking
  • `Strict-Transport-Security` — enforces HTTPS connections

What to do: Add these headers to your server or CDN configuration.

For Apache, add to `.htaccess`:

```

Header set X-Content-Type-Options "nosniff"

Header set X-Frame-Options "SAMEORIGIN"

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

```

For Nginx, add to your server block:

```

add_header X-Content-Type-Options nosniff;

add_header X-Frame-Options SAMEORIGIN;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

```

For Cloudflare users, these headers can be added via Cloudflare Transform Rules without touching your server configuration.

Priority 7: Social Media Presence (2 points)

Absence of any detectable social media links adds 2 points. This is a secondary signal, but linkable social profiles (LinkedIn, Twitter/X, GitHub) are easy to add.

What to do: Add links to your verified social profiles in your site footer or about page. At minimum, a LinkedIn company page provides an independently verifiable business identity signal. GitHub is relevant for developer tools and open-source projects.

Domain Age (Variable)

Domain age is a signal that can't be changed directly — it's based on when your domain was registered. A domain younger than 6 months adds points; younger than 30 days adds more.

The only solution here is time. Continue operating legitimately and the domain age signal will improve automatically. If you're a new site, focus on all the other signals to minimize the total score contribution of any individual signal.

After Making Changes

After implementing improvements, rescan your site to see the updated score. Most rule engine changes reflect immediately in a new scan. AI layer analysis may take slightly longer to reflect content updates.

Keep records of your scan scores over time to track improvement trends. A site that has moved from a risk score of 65 to 25 over six months has a positive trend story that's worth documenting — whether for your own operational records, for partner vetting conversations, or for internal stakeholder reporting.