What I Found on a Dental Office's Website Last Week

I audited a dental office's website last week.

Open admin port. No DMARC record — meaning anyone could send email pretending to be them. SSL certificate that expired four months ago.

They had no idea. Their IT guy had "handled it" two years ago.

This is not rare. This is most small medical practices.

The Three Things Most Dental Websites Get Wrong

1. No DMARC record on the email domain

DMARC is a DNS record that tells receiving mail servers what to do when someone tries to send email from your domain without authorization. Without it, anyone can send an email that appears to come from your practice. Patients get phishing emails that look like they're from you. You have no way to know it's happening.

Setting up DMARC takes about fifteen minutes and costs nothing. Most dental offices don't have it.

2. Shared hosting with no firewall rules

Most small practice websites run on shared hosting — GoDaddy, Bluehost, HostGator. These plans put your site on a server alongside hundreds of others. When the hosting company doesn't enforce firewall rules at the account level, ports that should be closed are open. That includes ports for admin access, database connections, and file transfer protocols that have no business being publicly reachable.

An attacker with a port scanner finds this in seconds.

3. SSL certificates that quietly expired

SSL certificates renew automatically — until they don't. A lapsed credit card, a changed hosting account, a misconfigured auto-renewal. The certificate expires and the site starts throwing security warnings to every visitor. Google quietly downgrades its trust in the domain. Patients see a warning and leave.

In a regulated industry like dentistry, an expired SSL certificate also signals to auditors that the site is not being actively maintained — which is relevant when a HIPAA complaint comes in.

What to Do

An external security scan of your domain shows you all three of these issues in a single report. You don't need to understand the technical details — you need to know what's there so you can hand it to someone who can fix it.

That's what near0's site audit does. It takes a few minutes and costs less than a single co-pay.

near0 runs background checks, business verification, and site security audits. One-time payment, no account required.