Small businesses are the most targeted victims of cyberattacks. Not because hackers specifically want your data, but because small business sites are easy targets. Most are running outdated software, weak passwords, and zero monitoring.
The good news: most of these problems are fixable in an afternoon. Here's the checklist.
1. Enable HTTPS on Every Page
If your site still shows http:// instead of https://, visitors see a "Not Secure" warning in their browser. This hurts trust and your Google ranking simultaneously.
HTTPS requires an SSL certificate. Most modern hosting providers include SSL free. If yours doesn't, you can get a free certificate from Let's Encrypt in about ten minutes.
Check: Type your domain into your browser. Does a padlock icon appear? If not, fix this first.
2. Use Strong, Unique Passwords for Every Login
The most common way websites get compromised is password reuse. If you used the same password for your website admin as you did for a service that got breached, hackers already have your credentials.
Use a password manager (1Password, Bitwarden, or the one built into your browser) and generate a unique password for every account related to your website: hosting, domain registrar, CMS, email, and analytics.
Check: Can you remember your website admin password from memory? If yes, it's probably not strong enough.
3. Enable Two-Factor Authentication
Two-factor authentication (2FA) means that even if someone gets your password, they still need access to your phone or email to log in. It's one of the most effective security upgrades you can make in under five minutes.
Enable 2FA on:
- Your hosting control panel
- Your domain registrar
- Your email account (especially the one tied to your domain)
- Your CMS admin panel
4. Keep Your CMS and Plugins Updated
If your site runs on WordPress, Drupal, or any platform with plugins, outdated software is your biggest vulnerability. The majority of WordPress hacks happen through known vulnerabilities in outdated plugins.
Check: Log into your WordPress dashboard. Does the admin bar show any update notifications? Run them now. All of them.
If you're not keeping up with updates, consider switching to a managed plan where updates are handled for you automatically.
5. Remove Plugins and Themes You Don't Use
Every inactive plugin on your WordPress site is a potential attack surface. If you installed a plugin to try it and never activated it, or if you switched themes years ago, delete the old ones entirely. Deactivated is not the same as safe.
Check: In WordPress, go to Plugins, then Installed Plugins. Sort by Inactive and delete anything you're not actively using.
6. Set Up Automated Backups
Backups don't prevent attacks. They limit the damage. If your site gets hacked or corrupted, a recent backup means you restore to a clean version instead of rebuilding from scratch.
Your backups should be:
- Automatic. Daily or weekly, never manual.
- Off-site. Stored somewhere other than your hosting account (so a hosting breach doesn't also destroy your backup).
- Tested. A backup you've never restored from might not actually work when you need it.
7. Block Brute Force Login Attempts
Hackers use automated tools that try thousands of password combinations against your login page. This is a brute force attack and it happens to every site, every day, automatically.
If you're on WordPress, a plugin like Limit Login Attempts Reloaded blocks IPs after repeated failed attempts. On a managed hosting plan, this is typically handled at the server level before requests even reach your site.
8. Monitor Your Site for Malware
Malware can sit on your site for weeks before you notice. It redirects visitors to spam sites, steals form data, or uses your server to send spam email, all without any visible symptoms on your end.
Free tools like Sucuri SiteCheck can scan your site for known malware signatures. For ongoing monitoring, Wordfence (for WordPress) or a managed security service will alert you in real time when something looks wrong.
9. Secure Your Contact Forms
Every form on your site is a potential attack vector. Without protection, bots can use your contact form to send spam, harvest email addresses, or probe for vulnerabilities.
Protect your forms by:
- Adding a honeypot field (a hidden field that only bots fill out)
- Using CAPTCHA or a modern spam-filtering service
- Never exposing your email address as plain text on the page
10. Lock Down Your Domain Registrar
Your domain is the most critical asset tied to your website. If a hacker gets into your domain registrar, they can redirect your entire website and email to a server they control. Your customers would have no way to know.
- Enable registrar lock (most registrars have this, it prevents unauthorized transfers)
- Enable 2FA on your registrar account
- Make sure the email address on your registrar account is secure and actively monitored
The Honest Reality
Security is not a one-time setup. It's an ongoing practice. Software gets updated, new vulnerabilities get discovered, and attack methods evolve constantly. A site that was secure six months ago might not be today.
Most small business owners don't have time to stay on top of this. That's exactly why we include security monitoring, updates, and backups as part of every plan we offer. You focus on your business. We make sure nobody gets in.
Want to know if your site has any of these issues? Get a free website audit. We check for security gaps as part of every review, at no cost.
Want help applying this to your business?
Get a free website audit and a personalized action plan. No pressure, no sales pitch.