When creating a website, developers and testers usually create test user accounts like "test / 123456" and give them administrative permissions; add test user groups with redundant privileges; create test web pages showing the user accounts or system configuration information. The most severe blunder is to create a page giving a visitor the administrative privileges just by opening it.

It is extremely important to keep track of such test objects and delete them before deploying the web project. If you fail to do so, a successful attack on your website is just a matter of time.

1. Verify there are no test accounts left.
2. Ensure that the remaining accounts have strong passwords containing at least 8 characters including letters in varying case, digits and punctuation marks.
3. Verify that there are no test pages and files left.