Sometimes we check sites against malware infections. Later we find the malware has been taken down,
still the website software, like Wordpress for instance, has not been updated or has not been fully updated for all of the webpage. This makes a re-infection possible. Then we see that the website server transmits the full serversoftware version number. This should be avoided, because it is making it easy for hackers to know what exploits would work against it. A website could also give away that it generates dynamic webcontent, also an additional risk,
For instance like this with Apache:
By default Apache configuration file has the following entries.
===
ServerTokens ProductOnly
ServerSignature On
Change the above lines to the following.
===
ServerSignature Off
ServerTokens Prod
restart and you are done.
Now the wannabee hacker has to actively probe to get a near guess at what they are/were looking for and can get logged. As they are always going for the low hanging fruit, they will probably pass your door, especially when they use automatic crawling to avoid detection. The malversant also can do a sitecheck but not with the best of intentions at heart.
Javascript, Java applets, Silverlight, Flash can also add to security risks as can be the use
of hidden iFrames, certain type of tracking code then may have been maliciously altered. Check also for script injections, obfuscation you are not familiar with, code outside HTML that should not be there, etc. etc.