Security basics for small business websites

Why security matters

Small websites are common targets for attacks. Attackers look for easy targets, not just high-value ones.

A compromised website can:

• Damage your reputation and trust.
• Expose customer data and personal information.
• Infect visitors with malware.
• Cost time and money to fix.
• Lead to legal and regulatory problems.

Common threats

Outdated software

Outdated software is the most common security risk [1]Source 1 . Known vulnerabilities in old versions are easy for attackers to exploit.

• Keep your CMS, plugins, themes, and dependencies updated.
• Enable automatic updates where safe to do so.
• Review and test updates before applying them to production.

Weak passwords

Weak passwords are easy to guess or crack. They provide an easy way into your site.

• Use strong, unique passwords for all accounts.
• Use a password manager to generate and store passwords.
• Enable two-factor authentication where available.
• Never reuse passwords across different services.

Insecure forms

Forms that do not validate or sanitise input can be exploited [1]Source 1 .

• Always validate and sanitise form input on the server.
• Never trust client-side validation alone.
• Use parameterised queries for database operations.
• Protect against common attacks such as SQL injection and cross-site scripting.

Third-party code

Plugins, themes, and third-party scripts can introduce vulnerabilities.

• Only install code from trusted sources.
• Keep third-party code updated.
• Remove unused plugins and themes.
• Review what third-party code does before installing it.

Basic protections

HTTPS everywhere

Use HTTPS for all pages, not just forms or login pages.

• Encrypts data in transit.
• Protects user privacy.
• Required for many modern web features.
• Helps with search engine rankings.

Keep software updated

Regular updates are your first line of defence [1]Source 1 .

• Update your CMS, plugins, and themes regularly.
• Update server software and dependencies.
• Subscribe to security advisories for software you use.
• Test updates in a staging environment when possible.

Strong authentication

Protect admin accounts and sensitive areas with strong authentication.

• Require strong passwords.
• Enable two-factor authentication for admin accounts.
• Limit login attempts to prevent brute force attacks.
• Use secure password reset processes.

Input validation and sanitisation

Always validate and sanitise user input [1]Source 1 .

• Validate input on the server, not just the client.
• Sanitise data before storing or displaying it.
• Use parameterised queries for database operations.
• Escape output to prevent cross-site scripting attacks.

Content Security Policy

Content Security Policy helps prevent cross-site scripting attacks [3]Source 3 .

• Restricts which scripts can run on your pages.
• Prevents unauthorised code execution.
• Can be complex to configure but provides strong protection.

Platform choice and security

The platform you choose affects your security posture [4]Source 4 .

• Platforms that require many plugins or themes increase your attack surface.
• Complex platforms with frequent security updates need constant maintenance.
• Platforms with large plugin ecosystems increase the risk of vulnerable third-party code.
• Simpler platforms with fewer dependencies are easier to secure and maintain.
• Choose platforms that follow secure coding practices and have good security track records.

Secure by design

Build security into your site from the start [4]Source 4 .

• Choose platforms and tools with good security practices.
• Follow secure coding practices.
• Validate and sanitise input from day one.
• Use HTTPS from the start.
• Plan for security updates and maintenance.

What to monitor

Regular checks

• Check for software updates monthly.
• Review user accounts and remove unused ones.
• Check for suspicious activity in logs.
• Monitor for failed login attempts.

Signs of compromise

Watch for signs that your site might be compromised.

• Unexpected changes to files or content.
• New user accounts you did not create.
• Unexpected redirects or pop-ups.
• Slow performance or unusual server activity.
• Warnings from browsers or security tools.

Backup and recovery

Regular backups help you recover from security incidents.

• Back up your site regularly, at least weekly.
• Store backups securely, separate from your live site.
• Test that you can restore from backups.
• Keep multiple backup copies.
• Document your recovery process.

When to get help

Some security issues need professional help.

• If your site has been compromised, get help immediately.
• If you suspect a data breach, act quickly.
• If you lack technical skills, consider managed hosting or security services.
• If compliance requirements are complex, get expert advice.

Resources and guidance

Use authoritative sources for security guidance [2]Source 2 .

• NCSC provides web application security guidance [2]Source 2 .
• OWASP documents common risks and mitigations [1]Source 1 .
• Platform-specific security documentation for any tools you use.

Common mistakes

• Ignoring software updates.
• Using weak or reused passwords.
• Trusting client-side validation alone.
• Installing untrusted plugins or themes.
• Not using HTTPS.
• Not backing up regularly.
• Not monitoring for signs of compromise.

Priorities for small sites

Focus on the basics first.

1. Use HTTPS everywhere.
2. Keep all software updated.
3. Use strong passwords and two-factor authentication.
4. Validate and sanitise all user input.
5. Back up regularly.
6. Monitor for signs of problems.

Next step

Review your current security setup. Check that you are using HTTPS. Verify all software is up to date. Review your password practices. Ensure forms validate input on the server. Set up regular backups if you have not already. Then make security part of your regular maintenance routine [1]Source 1 . Basic security practices protect most small sites from common threats. For ongoing security monitoring and updates, consider maintenance and support services. For more on maintenance, see maintenance plans that pay for themselves. If you need help fixing security issues, see website security issues.