website security basics every small business owner should know
small business websites don't feel like hacking targets. why would anyone bother? the reality is that most attacks aren't targeted — they're automated bots scanning the internet for easy vulnerabilities, and small business sites are often the easiest.
the good news: the basics prevent the majority of attacks, and most of them are either free or cheap.
the most common ways small business sites get compromised
outdated wordpress plugins. this is the single most common attack vector for small business sites worldwide. a wordpress site with 15 plugins, some last updated two years ago, is an invitation. attackers scan for known vulnerabilities in specific plugin versions and exploit them automatically.
weak admin passwords. "admin" as the username and a simple password is still common. bots run credential stuffing attacks that try millions of password combinations against login pages.
shared hosting with poor isolation. on budget shared hosting, a compromise on one site on the server can sometimes spread to others. this isn't the most common attack, but it happens.
malicious file uploads. if your site has a contact form or user upload functionality that isn't properly secured, attackers can upload malicious files and execute them on your server.
the essentials to have in place
ssl certificate (https). if your site still loads on http:// rather than https://, this is your first priority. ssl certificates are free through let's encrypt and almost every modern hosting provider offers them with one click. without one, google flags your site as "not secure," which hurts both trust and ranking.
strong, unique passwords with two-factor authentication. use a password manager and generate a random 20-character password for your wordpress or site admin. enable two-factor authentication if the platform supports it. this eliminates most brute force attacks.
keep wordpress and plugins updated. in wordpress, go to dashboard → updates once a month and apply available updates. this is genuinely the highest-impact security habit for wordpress sites.
remove plugins you don't use. deactivated plugins that are still installed still have code on your server that can contain vulnerabilities. if you're not using a plugin, delete it entirely.
regular backups. this doesn't prevent attacks, but it limits the damage. if your site gets hacked or a bad update breaks something, a recent backup means you can restore in minutes instead of starting over. services like updraftplus (wordpress) make automated daily backups easy. store the backups offsite — not just on your server.
a basic firewall. cloudflare's free tier adds a web application firewall and blocks a significant portion of malicious traffic before it reaches your site. it also speeds up your site via its cdn. for most small business sites, the free plan is sufficient.
what to do if your site gets hacked
don't panic, but act quickly.
- take the site offline temporarily to prevent further damage or spreading malware to visitors.
- contact your hosting provider — many have security teams that can help diagnose the attack.
- restore from a clean backup if you have one.
- change all passwords (wordpress admin, hosting account, ftp, database) — even if you restore from backup, your credentials may be compromised.
- scan for remaining malware using a tool like wordfence (wordpress plugin) or have a developer do a manual review.
- figure out how the attack happened and close the gap before relaunching.
if you don't have a backup, remediation is more involved — the site needs to be scanned and cleaned manually, which takes hours and is often not worth doing on an old site versus rebuilding.
the bigger picture
a hacked site isn't just an inconvenience. if your site is serving malware to visitors, google will blacklist it — meaning you disappear from search results. recovering from that blacklist takes days and requires manual review. the reputational damage with customers can be worse than the direct cost.
basic security hygiene — ssl, updated plugins, strong passwords, regular backups, a firewall — costs almost nothing and prevents the overwhelming majority of attacks. it's worth 30 minutes today.
if you'd like a security review of your existing site, or if you're building new and want to ensure security is built in from the start, nanushi can help.