Why Small Businesses Are a Bigger Target Than They Think
Many owners assume hackers only chase big corporations. In reality, small business websites are attacked constantly, precisely because they're often the least protected. Most of these attacks aren't a hooded figure targeting you personally; they're automated bots scanning millions of sites for an out-of-date plugin or a weak password to exploit. Your site doesn't need to be famous to be found.
The cost of getting this wrong is rarely just a defaced homepage. A compromised site can leak customer data, get blacklisted by Google with a scary red warning, send spam in your name, or quietly redirect your customers to a scam. Recovering from that can take weeks and shatter the trust you've spent years building. The good news is that website security basics are mostly straightforward, affordable, and well within reach of any small business.
HTTPS: The Padlock That Protects Every Visitor
The padlock in the address bar means your site uses HTTPS, which encrypts the connection between your visitor and your server. Without it, anything typed into a form, a password, an email, a card number, can potentially be read by anyone snooping on the network. It's the single most visible signal of a safe site, and browsers now openly label sites without it as 'Not Secure'.
Getting HTTPS is no longer expensive or difficult. Most reputable UK hosts provide a free SSL certificate through Let's Encrypt that renews automatically, and many enable it with a single click. There's genuinely no excuse to run a business website without it in 2024.
Once it's installed, make sure the whole site redirects from the old insecure address to the secure one, so there are no half-protected pages. A quick check in any browser, looking for the padlock on every page including checkout and contact forms, confirms it's working as it should.
Keep Everything Updated, Because Old Software Is the Open Door
The most common way small business sites get hacked is through outdated software. Whether you run WordPress, another content system, or a custom build, the platform, themes, and plugins all receive security updates that patch newly discovered holes. When you ignore those updates, you leave a known, published weakness sitting open for the bots to find.
Set a routine. Check for updates at least weekly, apply them promptly, and take a backup first so you can roll back if an update ever clashes with your design. If your site relies on plugins, audit them occasionally and delete any you no longer use, since even deactivated, outdated plugins can be an entry point.
Be wary of abandoned plugins and themes that haven't been updated by their developer in over a year. They're a quiet liability. Replacing them with a maintained alternative is far cheaper than cleaning up after a breach.
Strong Logins and Two-Factor Authentication
Weak passwords are an open invitation. 'admin' as a username paired with a guessable password is exactly what automated attacks try first, and they can make thousands of attempts a minute. Every account with access to your site needs a long, unique password, ideally generated and stored in a password manager rather than reused across services.
Two-factor authentication is your strongest single upgrade. It means that even if someone steals your password, they still can't log in without a code from your phone. Most platforms support it, often through a free app, and switching it on for every admin account takes minutes. It blocks the overwhelming majority of automated login attacks on its own.
Limit who has admin access. Give staff only the permission level their role actually needs, remove accounts the moment someone leaves, and never share a single login between several people. Fewer powerful accounts means fewer ways in.
- check_circleUse long, unique passwords stored in a password manager
- check_circleTurn on two-factor authentication for every admin account
- check_circleAvoid generic usernames like 'admin'
- check_circleGive staff the minimum access their role requires
- check_circleRemove old accounts immediately when someone leaves
Back Up Your Site Like Your Business Depends on It
A reliable backup is your safety net for almost every disaster, whether it's a hack, a botched update, a server failure, or simple human error. With a recent backup you can restore your whole site in minutes; without one, a single bad day can wipe out years of work. This is the step owners skip most and regret most.
Follow a simple rule: keep automatic backups running on a schedule, and store at least one copy somewhere other than your hosting account, such as cloud storage you control. If your host is compromised, a backup stored only on that same host can be lost or encrypted alongside everything else.
Crucially, test that your backups actually restore. A backup you've never tried is just a hopeful assumption. Once or twice a year, confirm you can rebuild from it, so that when you genuinely need it, there are no unwelcome surprises.
Choose Hosting and Tools That Take Security Seriously
Your hosting provider is your first line of defence, so cheap and cheerful can become expensive when something goes wrong. Look for a host that includes a free SSL certificate, automatic backups, a web application firewall, and server-level malware scanning. Reputable UK hosting in the region of £3 to £15 a month for a small business site usually covers these as standard.
A web application firewall sits in front of your site and filters out malicious traffic before it ever reaches you, blocking common attack patterns automatically. Many hosts include one, and services like Cloudflare offer a capable free tier that also speeds your site up, a genuine two-for-one.
For forms and comments, add spam protection so bots can't flood you or inject malicious links. And be cautious about which third-party scripts and plugins you install, because every one you add is code from someone else running on your site. Stick to well-reviewed, actively maintained tools from sources you trust.
Have a Plan for When Something Goes Wrong
Even well-protected sites can be hit, so knowing what you'd do in advance turns a crisis into a procedure. Keep your host's support contact, your login details, and your backup location written down somewhere safe and accessible. If you suspect a breach, take the site offline or into maintenance mode, change every password, and restore from a clean backup before reopening.
Watch for warning signs: unexpected new admin accounts, pages or pop-ups you didn't create, a sudden drop in Google traffic, or a browser warning when you visit your own site. Catching these early limits the damage. Setting up Google Search Console for your site means Google will alert you directly if it detects something wrong.
If the worst happens and customer data is involved, UK businesses have data-protection obligations under GDPR, including reporting certain breaches. Knowing this in advance, rather than scrambling on the day, is part of running a responsible business online. For most small businesses, though, the basics in this guide prevent the vast majority of problems before they ever start.
Frequently asked questions
Do I really need HTTPS if I don't sell anything online?expand_more
Yes. Even a simple brochure or contact-form site needs HTTPS. It encrypts anything visitors type, protects their privacy, and stops browsers labelling your site 'Not Secure', which scares people away. Google also favours secure sites in search rankings. Since most UK hosts provide a free SSL certificate, there's no reason to go without it.
How often should I update my website software?expand_more
Check for updates at least weekly and apply security patches promptly, since outdated plugins and themes are the most common way small sites get hacked. Always take a backup before updating so you can roll back if anything clashes. Delete plugins you no longer use, and replace any that the developer has abandoned.
What is two-factor authentication and is it worth it?expand_more
Two-factor authentication adds a second step to logging in, usually a code from an app on your phone, so a stolen password alone isn't enough to break in. It's the single most effective security upgrade for most sites, blocks the vast majority of automated login attacks, takes minutes to set up, and is usually free.
Where should I store my website backups?expand_more
Keep automatic backups on a schedule and store at least one copy away from your hosting account, such as in cloud storage you control. If your host is ever compromised, a backup kept only on that same host can be lost too. Test that your backups actually restore at least once a year.
How do I know if my website has been hacked?expand_more
Watch for warning signs such as admin accounts you didn't create, unfamiliar pages or pop-ups, a sudden drop in Google traffic, or a browser security warning on your own site. Setting up Google Search Console means Google can alert you directly. If you suspect a breach, take the site offline, change all passwords, and restore from a clean backup.