Website Security for Small Business Owners: What Actually Matters

Small business websites get attacked more than most owners realise. Not because hackers are personally interested in your bakery or accounting firm, but because automated bots scan the entire internet looking for the same handful of misconfigurations. If your site has them, you're in the bucket.

The good news: most attacks succeed because of basic, fixable issues — not sophisticated zero-days. Here's what actually matters when you're running a business website without a dedicated security team.

The Real Threats Facing Small Business Websites

Forget the Hollywood version of hacking. The actual threats look like this:

• Credential stuffing — bots try leaked passwords against your admin login
• Plugin/theme exploits — outdated WordPress plugins are the #1 entry point
• Form spam and injection — contact forms without proper validation
• SSL misconfiguration — expired certificates or weak TLS versions that break trust
• Subdomain takeovers — old DNS records pointing to services you no longer use
• Card skimmers — injected JavaScript that steals checkout data (Magecart-style attacks)

Notice what's missing: nation-state attackers. You're dealing with automation, and automation can be defeated with automation-resistant configuration.

The Security Baseline Every Small Business Site Needs

1. HTTPS done properly

Having a padlock isn't enough. Your SSL setup needs:

• TLS 1.2 minimum, ideally TLS 1.3
• Auto-renewal configured (Let's Encrypt via your host, or Cloudflare)
• HTTP automatically redirects to HTTPS
• HSTS header set so browsers refuse insecure connections

A surprising number of small business sites have a valid certificate but still serve HTTP if you type the URL without https://. That's a free downgrade attack for anyone on a coffee-shop Wi-Fi.

2. Security headers

These are HTTP response headers your server sends. They cost nothing and block entire categories of attacks:

• Strict-Transport-Security — forces HTTPS
• Content-Security-Policy — blocks injected scripts
• X-Content-Type-Options: nosniff — prevents MIME-type tricks
• Referrer-Policy — controls what data leaks to other sites
• Permissions-Policy — restricts access to camera, mic, geolocation

If you're on WordPress, plugins like Really Simple SSL or a security suite can add these. On Cloudflare, you can set them through Transform Rules. If you're not sure which headers your site is sending, a quick scan with WebSentry will show you exactly what's missing and grade your configuration.

3. Strong admin authentication

The login page is the most attacked part of your site. Lock it down:

1. Change the default admin URL (e.g. /wp-admin to something custom)
2. Enforce strong passwords — 16+ characters, generated, not memorised
3. Enable two-factor authentication on every admin account
4. Limit login attempts (5 failures = 30-minute lockout)
5. Remove unused admin accounts from former staff or contractors

4. Keep everything updated

Roughly 90% of WordPress hacks involve outdated plugins or themes. The fix is boring but works:

• Enable automatic updates for minor releases
• Schedule a monthly check for major plugin/theme updates
• Delete plugins you're not using — deactivated isn't deleted
• Avoid nulled or pirated themes (they almost always contain backdoors)

The Cookie and Privacy Layer

If you're collecting any data — even just analytics — your cookies need attention. Misconfigured cookies are both a security and compliance problem.

Cookie flags that matter

• Secure — only sent over HTTPS
• HttpOnly — JavaScript can't read it (blocks session theft via XSS)
• SameSite=Lax or Strict — prevents CSRF attacks

Most CMS platforms set these correctly by default now, but custom-built sites and older WordPress installs often don't. Check your session cookies specifically — those are the ones attackers want.

DNS: The Layer Nobody Thinks About

Your DNS records are a quiet attack surface. Two things to audit:

SPF, DKIM, and DMARC

Without these email authentication records, attackers can spoof emails from your domain. For a small business, that means someone can send phishing emails that look like they came from billing@yourcompany.com. Set up:

• SPF — lists which servers can send email for your domain
• DKIM — cryptographically signs outgoing email
• DMARC — tells receivers what to do when SPF/DKIM fail

Dangling subdomains

If you ever pointed shop.yourcompany.com at a Shopify store and then cancelled, but left the DNS record, someone else can claim that subdomain. Audit your DNS at least once a year and delete records for services you no longer use.

Backups That Actually Save You

A backup you've never tested isn't a backup. Real backup hygiene:

1. Automated daily backups of files and database
2. Stored off the same server (S3, Backblaze, Google Drive — somewhere else)
3. At least 30 days of retention so you can roll back past a slow-burning compromise
4. One restore test per quarter — actually spin up the backup and confirm it works

If your only backup is on the same host that gets compromised, you have no backup.

What to Skip (For Now)

Security advice often piles on without prioritisation. As a small business owner, you can safely deprioritise:

• Expensive WAF appliances — Cloudflare's free plan covers most needs
• Penetration testing — overkill until you're handling sensitive customer data at scale
• SOC 2 compliance — only if a customer is asking for it
• Bug bounty programs — wait until your basics are airtight

Spend your time on the baseline above. It blocks 95% of what actually targets small business sites.

A Realistic Monthly Security Routine

You don't need a security team. You need 30 minutes a month:

1. Run a security scan — point WebSentry at your domain and check your grade across SSL, headers, CSP, cookies, DNS and CORS
2. Apply updates — CMS, plugins, themes, server packages
3. Review admin users — remove anyone who shouldn't have access
4. Check backups — confirm the last one ran and is recoverable
5. Skim access logs — look for repeated 401s or strange user agents hitting your login page

That's it. Thirty minutes, once a month, will keep you ahead of almost every automated attack on the internet.

If you want a quick health check before you start, run a free scan at websentry.dev — you'll get a graded report covering SSL, headers, cookies, DNS and more, with specific issues to fix first.