Website security basics for small businesses
Practical steps to protect your website without a dedicated security team.
Part of the series: Website Fundamentals
Part 4 / 5
Table of Contents
You don’t need to be a Fortune 500 company to be a target. In fact, small business websites get attacked more often precisely because they tend to be unprotected. Most attacks aren’t personal, they’re automated. Bots crawl the internet scanning for known vulnerabilities, and if your site has one, it gets exploited without a human ever being involved.
Why small businesses get hacked
The pattern is almost always the same. A bot finds an outdated plugin, a weak password, or an unpatched CMS installation. No one specifically targeted your business. You just had a hole, and something automated found it.
The usual suspects:
- Outdated CMS or plugins: WordPress plugins with known vulnerabilities sit unpatched for months
- Weak passwords: “admin/admin123” is still disturbingly common in the wild
- No HTTPS: data transmitted in plain text for anyone on the network to read
- Shared hosting issues: one compromised site on the server can affect its neighbors
- No backups: turning a minor breach into a catastrophic one
What you should actually do
Get HTTPS set up
If your site doesn’t have the padlock icon, this is your first priority. HTTPS encrypts the connection between your visitors and your server.
- Most hosts offer free SSL through Let’s Encrypt
- Search engines actively penalize non-HTTPS sites
- Browsers now show “Not Secure” warnings that scare visitors away
It’s free. It takes 30 minutes. There’s no excuse for not having it in 2026.
Keep everything updated
If you’re running WordPress or any CMS:
- Update core software as soon as security patches drop
- Update all plugins and themes
- Remove plugins you aren’t actively using (every plugin is attack surface)
- Only use plugins from developers with a track record
Enable automatic updates for WordPress. The “I’ll get to it later” approach is how sites get compromised.
Fix your authentication
At minimum:
- Unique passwords for every account (use a password manager, seriously)
- Two-factor authentication on your CMS admin panel
- Rate-limited login attempts to stop brute force attacks
- Non-default admin usernames: if your login is “admin”, change it today
Set up proper backups
Follow the 3-2-1 rule:
- 3 copies of your data
- 2 different storage types
- 1 offsite copy (cloud backup)
And test your backups regularly. A backup you’ve never tried to restore is not really a backup.
Use a web application firewall
Cloudflare’s free tier is genuinely good for small sites. It blocks:
- SQL injection attempts
- Cross-site scripting (XSS)
- DDoS attacks
- Malicious bot traffic
It takes about an hour to set up and the free plan covers the essentials.
Why static sites have a huge security advantage
This is something we feel strongly about. A static site simply doesn’t have the components that get exploited:
| Vulnerability | WordPress | Static Site |
|---|---|---|
| SQL injection | Possible | Impossible (no database) |
| Plugin exploits | Common | N/A (no plugins) |
| Brute force login | Possible | Impossible (no login) |
| Server-side code injection | Possible | Impossible (no server code) |
| Zero-day PHP exploits | Possible | Impossible (no PHP) |
The most secure website is one with the smallest attack surface. Static sites eliminate entire categories of vulnerabilities by design, not by adding more security layers on top.
This is one of the reasons we use Hugo for most projects.
If you’ve been hacked
Don’t panic, but move fast:
- Take the site offline to prevent further damage
- Contact your host: they may have backups and server logs
- Identify the breach: check access logs, look for modified files, search for new admin accounts
- Restore from a clean backup: don’t just patch the compromised site
- Change every password: every account, every service, no exceptions
- Update everything: close whatever vulnerability was exploited
- Monitor for weeks afterward: watch for signs the attacker left a backdoor
Security headers worth setting
These HTTP headers add meaningful protection with very little effort:
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
If you’re on Cloudflare or Netlify, you can set these in configuration files without touching server config.
A simple monthly routine
Spend 30 minutes once a month:
- Apply any pending CMS or plugin updates
- Review admin accounts and remove any you don’t recognize
- Check Google Search Console for security warnings
- Verify your backups are running and actually restorable
- Scan your site for unexpected content, pages, or redirects
This alone puts you ahead of 90% of small business websites.
Warning signs of a compromise
If you notice any of these, investigate immediately:
- Unexpected redirects to other websites
- Pages or content you didn’t create
- Google showing “This site may be hacked” warnings
- Sudden drop in search rankings overnight
- Customers reporting spam emails from your domain
These need professional attention. The longer a compromise goes undetected, the harder it is to clean up.
Where to go from here
Protecting your website doesn’t require a big budget. Just consistent attention to the basics.
- Contact us if you want a security review of your current site
- See our portfolio for examples of how we build with security in mind
- Consider moving to a static site if security is a priority