You have an SSL certificate. Your site shows the padlock icon. You're secure, right?
Not even close. SSL encrypts data traveling between your visitor's browser and your server. That's important — and if you don't have it yet, start there. But it's like locking your car doors while leaving the windows down. Real website security requires a layered approach.
Here's what small businesses actually need to do.
Why Small Businesses Are Targets
There's a myth that hackers only target large companies. The reality:
- 43% of cyberattacks target small businesses
- Most small business websites have weaker security than enterprise sites
- Automated bots attack thousands of sites simultaneously — they don't discriminate by size
- A compromised small business site can be used for spam, phishing, or attacking other sites
The average cost of a data breach for a small business is over $120,000. Most can't afford that.
Keep Everything Updated
The #1 cause of website compromises is outdated software. If your site runs on WordPress or any CMS:
- Update CMS core as soon as new versions release
- Update plugins and themes weekly — outdated plugins are the most exploited vulnerability
- Remove unused plugins and themes — Even deactivated ones can be exploited if they have known vulnerabilities
- Check for end-of-life software — If a plugin or theme is no longer maintained, replace it
Static websites (like those built with modern frameworks) have a naturally smaller attack surface because there's no admin panel, database, or plugins to exploit.
Strong Access Controls
If your site has an admin panel:
- Use strong, unique passwords — At minimum 16 characters with a mix of types. Use a password manager.
- Enable two-factor authentication (2FA) — This alone blocks the vast majority of unauthorized login attempts
- Limit login attempts — Block IP addresses after 5-10 failed login attempts
- Change default admin URLs — If your CMS login is at
/wp-adminor/admin, change it to something custom - Restrict user roles — Only give admin access to people who absolutely need it. Everyone else gets the minimum permissions required for their role.
- Review access regularly — Remove accounts for former employees or contractors immediately
Regular Backups
Backups won't prevent an attack, but they determine whether a breach is an inconvenience or a catastrophe:
- Automate daily backups — Don't rely on remembering to do it manually
- Store backups off-site — If your server is compromised, backups stored on the same server are useless
- Keep multiple backup versions — Sometimes you don't discover a breach for days or weeks. Having 30 days of backups means you can restore to a clean version.
- Test your backups — A backup you've never tested is a backup you can't trust. Periodically restore a backup to verify it works.
Secure Your Forms
Contact forms, login forms, and any input fields are entry points for attacks:
- Use CAPTCHA or honeypot fields — Prevent automated spam and bot submissions
- Validate inputs server-side — Never trust data from the browser alone. Validate and sanitize all form inputs on the server.
- Limit file uploads — If your forms accept file uploads, restrict file types and scan for malware
- Rate limit submissions — Prevent bots from submitting hundreds of forms per minute
Web Application Firewall (WAF)
A WAF filters malicious traffic before it reaches your website:
- Cloudflare offers a free tier with basic WAF protection
- Sucuri provides comprehensive website firewall and malware scanning
- A WAF blocks common attacks like SQL injection, cross-site scripting (XSS), and brute force attempts automatically
For most small businesses, Cloudflare's free plan provides meaningful protection with minimal setup.
Monitor for Problems
You can't fix what you don't know about:
- Set up uptime monitoring — Services like UptimeRobot (free) will alert you if your site goes down
- Enable Google Search Console — Google will notify you if they detect malware or security issues on your site
- Review server logs — Unusual traffic patterns or repeated failed logins are red flags
- Scan for malware regularly — Tools like Sucuri SiteCheck (free) scan your site for known malware
HTTPS Everywhere
Yes, you have SSL — but verify it's implemented correctly:
- Force HTTPS — Ensure all HTTP requests redirect to HTTPS automatically
- Check for mixed content — If your HTTPS pages load images or scripts over HTTP, browsers will show warnings
- Renew before expiration — Set up auto-renewal for your SSL certificate. An expired certificate destroys visitor trust instantly.
Security Headers
These are server-level settings that add protection layers. Ask your developer or hosting provider to implement:
- Content-Security-Policy — Controls what resources your page can load, preventing XSS attacks
- X-Frame-Options — Prevents your site from being embedded in iframes (clickjacking protection)
- X-Content-Type-Options — Prevents browsers from misinterpreting file types
- Referrer-Policy — Controls how much information is shared when visitors click links
- Permissions-Policy — Restricts browser features like camera, microphone, and geolocation access
Your Security Checklist
- [ ] SSL certificate active and auto-renewing
- [ ] All software (CMS, plugins, themes) up to date
- [ ] Strong passwords and 2FA on all admin accounts
- [ ] Automated daily backups stored off-site
- [ ] Forms protected with CAPTCHA and server-side validation
- [ ] WAF enabled (Cloudflare or similar)
- [ ] Uptime and malware monitoring active
- [ ] Security headers configured
- [ ] Unused accounts and plugins removed
Want a website built with security in mind from the start? Contact us — we build sites that are fast, beautiful, and secure by design.