Website Security Basics for Small Businesses
Practical steps to protect your website without a dedicated security team.
You don’t need to be a Fortune 500 company to be a target. Small business websites are attacked precisely because they’re often unprotected. Here’s what you need to know and what you can do today.
Why Small Businesses Get Hacked
The uncomfortable truth: most attacks aren’t personal. Bots scan millions of websites looking for common vulnerabilities. If your site has one, it gets exploited automatically.
Common reasons small business sites get compromised:
- Outdated CMS or plugins — WordPress plugins with known vulnerabilities
- Weak passwords — “admin/admin123” is still disturbingly common
- No HTTPS — Data transmitted in plain text
- Shared hosting vulnerabilities — One compromised site affects neighbors
- No backups — Making ransomware attacks devastating
The Essentials Checklist
1. HTTPS Everywhere
If your site doesn’t have the padlock icon, fix this first. HTTPS encrypts data between your visitor’s browser and your server.
- Most hosts offer free SSL via Let’s Encrypt
- Search engines penalize non-HTTPS sites
- Browsers now warn visitors about “Not Secure” sites
Cost: Free. Time: 30 minutes.
2. Keep Everything Updated
If you’re running WordPress or any CMS:
- Update the core software as soon as patches release
- Update all plugins and themes
- Remove plugins you’re not using
- Use plugins from reputable developers only
Automated updates are available for WordPress — enable them.
3. Strong Authentication
At minimum:
- Unique passwords for every account (use a password manager)
- Two-factor authentication on your CMS admin panel
- Limit login attempts to prevent brute force attacks
- Change default admin usernames — don’t use “admin”
4. Regular Backups
Follow the 3-2-1 rule:
- 3 copies of your data
- 2 different storage types
- 1 offsite (cloud backup)
Test your backups. A backup you can’t restore is not a backup.
5. Web Application Firewall (WAF)
Services like Cloudflare offer a free tier that blocks common attacks:
- SQL injection attempts
- Cross-site scripting (XSS)
- DDoS protection
- Bot filtering
Cost: Free tier available. Time: 1 hour to set up.
The Static Site Advantage
This is where our approach with Hugo and static sites really shines. A static site has:
| Vulnerability | WordPress | Static Site |
|---|---|---|
| SQL injection | Possible | Impossible (no database) |
| Plugin exploits | Common | N/A (no plugins) |
| Brute force login | Possible | Impossible (no login) |
| Server-side code injection | Possible | Impossible (no server code) |
| Zero-day PHP exploits | Possible | Impossible (no PHP) |
The most secure website is one with the smallest attack surface. Static sites eliminate entire categories of vulnerabilities by not having the components that get exploited.
What to Do If You’ve Been Hacked
- Don’t panic — but act quickly
- Take the site offline — prevent further damage
- Contact your host — they may have backups and logs
- Identify the breach — check access logs, modified files, new admin accounts
- Restore from a clean backup — don’t just patch the current site
- Change all passwords — every account, every service
- Update everything — close the vulnerability that was exploited
- Monitor — watch for signs of re-compromise
Security Headers You Should Set
These HTTP headers add extra protection layers:
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
If you’re on Cloudflare or Netlify, these can be set in configuration files without touching server config.
Monthly Security Routine
Spend 30 minutes per month:
- Check for CMS/plugin updates and apply them
- Review admin accounts — remove any you don’t recognize
- Check Google Search Console for security warnings
- Verify your backups are running and restorable
- Review your site for unexpected content or redirects
When to Call a Professional
If you notice:
- Unexpected redirects to other websites
- New pages or content you didn’t create
- Google showing “This site may be hacked” warnings
- Significant drop in search rankings overnight
- Customers reporting spam from your domain
These are signs of compromise that need professional attention.
Next Steps
Your website is your digital storefront. Protecting it doesn’t require a big budget — just consistent attention.
- Contact us for a security audit of your current site
- View our portfolio to see how we build secure sites
- Consider migrating to a static site for maximum security