Website Security Checklist for Small Businesses

Key Takeaways

• Outdated software is the leading cause of website compromise — Sucuri's annual Hacked Website Trend Report found that 56% of hacked CMS installations were running outdated software at the time of the attack. Keeping your CMS, plugins, and themes updated is not optional maintenance — it is your primary defence.
• SSL certificates are now a baseline trust signal, not a differentiator — since 2018, Google Chrome has labelled all non-HTTPS sites as "Not Secure". An expired or missing SSL certificate will actively suppress search rankings, trigger browser warnings, and cause visitors to abandon your site immediately.
• Backups are only as useful as your ability to restore from them — many businesses run automated backups without ever testing a restore. The National Cyber Security Centre (NCSC) recommends keeping at least three copies of your data across two different storage types, with one copy off-site, and testing restores regularly.
• Under UK GDPR, a personal data breach must be reported to the ICO within 72 hours — if your website is hacked and customer data is exposed, you are legally obligated to report it to the Information Commissioner's Office. Proactive security measures reduce both the likelihood of a breach and the severity of its consequences.

We see compromised sites every month — almost always from outdated plugins or weak passwords. When a small business website gets hacked, the consequences are immediate and disruptive: the site goes down, Google may blacklist it, email deliverability tanks, and customer data can be exposed. In some cases the site has to be rebuilt from scratch.

The good news is that most small business website attacks are entirely preventable. They're not targeted — they're automated. Bots crawl the web looking for known vulnerabilities in outdated software, and they find them in seconds. A properly maintained site with basic security hygiene is invisible to the vast majority of these attacks.

This checklist covers everything a small business owner or marketing manager should know about keeping their website secure — without needing a dedicated IT team.

SSL Certificate

An SSL certificate encrypts data transmitted between your website and your visitors' browsers. Practically, it's what turns `http://` into `https://` and displays the padlock icon in the browser address bar.

Why It Matters

• Chrome and other browsers display a "Not Secure" warning for HTTP sites, which causes visitors to immediately distrust or abandon the site
• Google uses HTTPS as a ranking signal — non-HTTPS sites are penalised in organic search
• Without SSL, any data submitted through your contact form, login page, or checkout is transmitted in plain text

Action Steps

1. Confirm your SSL certificate is installed and valid (go to your site — if there's a padlock, you're covered; if there's a warning, you're not)
2. Check the expiry date — most certificates are valid for 90 days to 1 year and must be renewed. Many hosting providers auto-renew, but not all
3. Ensure your site forces HTTPS — visiting `http://yourdomain.com` should automatically redirect to `https://`
4. Check that your certificate covers all subdomains you use (www, mail, etc.)

A lapsed SSL certificate is one of the most common and most avoidable website security failures we encounter.

Keeping Your CMS and Plugins Updated

If your website runs on WordPress, Joomla, Drupal, Magento, or any other CMS, the software that powers it needs regular updates. The same applies to every plugin, theme, and extension you've installed.

Why Updates Matter

When a security vulnerability is discovered in a CMS or plugin, the developer patches it in the next version. That patch is public — which means attackers now know exactly what vulnerability exists in every un-updated site. Automated bots begin scanning for it within hours.

Sucuri's research consistently finds that the majority of compromised CMS sites were running outdated core software or plugins at the time of attack. This isn't coincidence — it's cause and effect.

Action Steps

1. Log in to your CMS dashboard and check for pending updates weekly
2. Apply core CMS updates, plugin updates, and theme updates promptly — don't defer them
3. Remove plugins and themes you're not actively using — deactivated plugins still present a vulnerability if not deleted
4. Enable automatic minor updates where possible (for CMS core and security patches especially)
5. Before major updates, take a full site backup first

Abandoned Plugins

A particularly dangerous scenario is an abandoned plugin — one whose developer has stopped maintaining it. Unpatched vulnerabilities in abandoned plugins will never be fixed. Audit your plugins annually and replace any that haven't been updated in over a year.

Strong Passwords and Two-Factor Authentication

Brute-force attacks — where bots systematically try username and password combinations — are among the most common attack vectors for small business websites. The solution is straightforward.

Passwords

• Use a unique, randomly generated password for your CMS admin account, hosting control panel, FTP, and database
• Minimum 16 characters, mixing letters, numbers, and symbols
• Never reuse passwords across accounts
• Use a password manager (1Password, Bitwarden, and similar tools) to generate and store them securely

The NCSC's password guidance recommends using three random words as a baseline — simple to remember, hard to brute-force — combined with 2FA for any high-value account.

Two-Factor Authentication (2FA)

Enable 2FA on your CMS login, your hosting account, and your domain registrar. Even if a password is compromised, 2FA requires a second verification step — typically a code from an authenticator app — that the attacker won't have.

Most CMS platforms offer 2FA plugins or built-in support. There is no legitimate reason not to have it enabled on your admin account.

Regular Backups

A backup is your insurance policy. If your site is hacked, infected with malware, or experiences a catastrophic hosting failure, a recent clean backup is what gets you back online without rebuilding from scratch.

What to Back Up

• All website files (themes, plugins, uploads, core files)
• Your database (where your content, settings, and user data live)

Backup Best Practices

The NCSC recommends the 3-2-1 rule: three copies of your data, across two different storage types, with at least one copy off-site (not on the same server as your live site).

Test Your Restores

This is the step almost everyone skips. A backup you can't restore from is worthless. At least twice a year, test a full restore to a staging environment to confirm the backup is valid and you know the process.

Malware Scanning

Malware on a website can do several things: redirect visitors to malicious sites, harvest form submissions, serve spam, mine cryptocurrency in visitors' browsers, or simply deface your site. Often you won't know it's there until Google blacklists you or a customer reports something suspicious.

How to Scan

• Many hosting providers include malware scanning as part of their plan
• Third-party tools like Sucuri SiteCheck offer free remote scans that check for known malware signatures and blacklist status
• More thorough server-side scanning tools (Sucuri, Wordfence for WordPress, MalCare) scan file-level content that remote tools can't see

What to Do If You Find Malware

Do not attempt to remove malware yourself unless you're technically confident. Partial removal often leaves backdoors that lead to re-infection within days. Professional malware removal is part of what we handle through our SiteCare service — and in most cases we can have a site cleaned and back online within a few hours.

Firewall and WAF

A Web Application Firewall (WAF) sits between your website and incoming traffic, filtering out malicious requests before they reach your site. It blocks:

• Known bot traffic
• SQL injection attempts
• Cross-site scripting (XSS) attacks
• Brute-force login attempts
• DDoS attacks (volumetric and application-layer)

OWASP's Web Security Testing Guide identifies SQL injection and XSS as two of the most critical and common web vulnerabilities — both of which a WAF is specifically designed to mitigate.

Options

• DNS-level WAFs (Cloudflare is the most widely used) route your traffic through their network before it reaches your server
• Plugin-based WAFs (Wordfence, Sucuri for WordPress) provide application-level filtering
• Some managed hosting plans include a WAF by default

Cloudflare's free tier provides meaningful DDoS protection and basic filtering for most small business sites. Paid tiers add more sophisticated rules.

Secure Hosting

Not all hosting is created equal from a security perspective. Shared hosting — where your site sits on the same server as potentially hundreds of others — means that a compromised neighbour can sometimes affect your site. It also typically means fewer security controls, less frequent updates, and limited visibility into what's happening at the server level.

If your current hosting provider can't answer these questions clearly, that's a red flag. Our SiteCare plans include managed hosting with all of these covered as standard.

Limiting Admin Access

The principle of least privilege: give users only the access they need for their role. If your site has multiple user accounts, audit them regularly.

Action Steps

1. Remove admin accounts for people who no longer work with or for the business
2. Assign editor or author roles (rather than administrator) to anyone who only needs to write or edit content
3. Never share admin credentials — each person should have their own account
4. If a web developer or agency has admin access to your site for a project, revoke it when the project is complete

This also applies to your hosting control panel and FTP — access credentials for contractors should be time-limited and revoked after project completion.

GDPR and Data Security

If your website collects personal data — through a contact form, an email sign-up, an e-commerce checkout, or any other mechanism — you have obligations under UK GDPR.

Key Requirements

• Privacy Policy — you must have one, and it must accurately describe what data you collect, why, and how it's stored
• Breach notification — if personal data is exposed through a hack, you must report it to the ICO within 72 hours of becoming aware of it
• Data minimisation — only collect data you actually need
• Secure transmission — all forms collecting personal data must use HTTPS (hence the SSL requirement above)

The ICO's data security guidance for small organisations is worth reading in full if you process any personal data through your website.

Uptime Monitoring

Security and uptime are closely linked. If your site goes down unexpectedly, it may indicate a server failure — or it may indicate an attack. You won't know unless you're monitoring.

Free uptime monitoring tools (UptimeRobot, Better Uptime, and similar) ping your site every few minutes and alert you immediately if it becomes unreachable. Setting this up takes ten minutes and means you're not the last person to find out your site is down.

The "Done for You" Option

If this checklist feels like a lot to manage alongside running a business — that's because it is. Security is not a one-time task; it's an ongoing programme of updates, monitoring, and response.

That's exactly what our SiteCare service is designed for. It covers managed hosting, SSL, automated backups, malware scanning, plugin updates, security monitoring, and a dedicated support allocation for content changes — all for a fixed monthly fee. You can see a full breakdown on our pricing page.

Alternatively, if you're not sure where your current site stands, a website audit will surface any security and performance issues so you know exactly what needs attention.

Frequently Asked Questions

How do I know if my website has been hacked?

Common signs include: your site is redirecting visitors to an unknown URL, Google Search Console is showing security warnings, your hosting provider has suspended the account, visitors are reporting warnings in their browser, your site is appearing in Google with spammy titles or descriptions, or you've noticed unexplained new user accounts or files. You can run a free external scan at Sucuri SiteCheck in seconds. If you suspect a compromise, don't delay — contact your hosting provider and a security professional immediately. Leaving an infected site live causes further damage to your SEO, your reputation, and potentially your visitors.

Does my hosting provider cover me for security issues?

It depends on your plan and provider. Most basic shared hosting plans do not include active security monitoring, malware removal, or guaranteed restores after a hack — they provide the infrastructure, but security is treated as your responsibility. Some managed hosting providers and managed WordPress hosts include more proactive security features. The clearest way to know is to check your hosting plan's terms and ask your provider directly what their incident response process is. If you're on an unmanaged plan, you are largely on your own when something goes wrong.

Is a free SSL certificate as secure as a paid one?

For the vast majority of small business websites, yes. Free SSL certificates issued by Let's Encrypt provide the same level of encryption (TLS 1.2/1.3) as paid certificates. The main difference with paid certificates is the validation level — paid certificates can offer Organisation Validation (OV) or Extended Validation (EV), which verify that the certificate holder is a legitimate registered business. For e-commerce or financial services where trust signals are particularly important, OV or EV certificates add visible credibility. For most service business websites, a Let's Encrypt certificate renewed automatically by your hosting provider is entirely sufficient.

Related Reading

• The Complete Guide to Website Maintenance
• Shared Hosting vs Managed Hosting: What UK Businesses Need to Know
• The Real Cost of Website Downtime for UK Businesses
• Signs Your Website Is Costing You Customers
• Website Security for Small Businesses: The Complete 2026 Guide

Security doesn't have to be complicated — but it does have to be consistent. The businesses we see suffer the worst consequences are not the ones who had sophisticated attacks launched against them; they're the ones who let basic maintenance slide for six months. If you'd like someone to take the ongoing security and maintenance burden off your hands, take a look at SiteCare or get in touch to talk through your options.