Website security basics every owner should know
Most website hacks are not clever, targeted attacks. They are automated bots scanning the whole internet for outdated software, weak passwords and forgotten doors left open. The good news is that the same handful of basic habits prevents the large majority of these incidents. You do not need to be a security expert, you need to be disciplined about a few things.
Keep everything updated
Outdated software is the single most common way sites get hacked. When a security hole is found in WordPress, a plugin or a server component, the fix is published, and bots immediately start hunting for sites that have not applied it.
That means every plugin, theme and the platform itself needs regular updates. An abandoned plugin you installed two years ago and forgot about is a classic entry point.
If you run WordPress or a similar system, set a routine: check for updates at least monthly, and apply security updates promptly. Better still, have someone maintain it for you so it never gets forgotten.
Remove what you do not use. Every unused plugin or old theme sitting on the server is extra attack surface for no benefit.
Strong passwords and two-factor authentication
Weak and reused passwords are the second great weakness. Bots try millions of common passwords against login pages, and a password you also use elsewhere may already be in a leaked database.
Use a unique, long password for every admin account and store them in a password manager rather than your memory or a notebook.
Turn on two-factor authentication wherever it is offered, especially for the website admin, the hosting account and your domain registrar. Even if a password leaks, the second factor stops the login.
The domain registrar deserves special care. If someone takes over your domain, they can redirect your whole site and email, which is far harder to recover from than a hacked page.
Back up, and test that you can restore
Backups are what turn a disaster into an inconvenience. If the worst happens, a recent clean backup lets you roll back instead of rebuilding from nothing.
- Keep backups automatic and regular, not something you remember to do by hand.
- Store at least one copy off the server, so a compromised server does not take the backups with it.
- Keep several versions back, because you may not notice a problem for days and need a copy from before it started.
- Actually test a restore once. A backup you have never restored is a guess, not a safety net.
HTTPS and least privilege
HTTPS, the padlock in the address bar, encrypts the connection between your visitor and your site. It is now expected by browsers and by Google, and a certificate is free through Let's Encrypt, so there is no reason to run without it.
Beyond encryption, follow the principle of least privilege: give each person and each tool only the access they actually need.
Not everyone needs to be a full administrator. An editor who writes blog posts should have an editor account, not the keys to the whole site.
When someone stops working with you, remove their access promptly. Old, unused accounts with high privileges are a quiet but real risk.
Watch for trouble before customers do
You do not need a security operations centre, but you should know quickly if something is wrong. A site can be defaced or infected for days before the owner notices, usually when a customer or Google tells them.
Set up basic uptime monitoring so you are alerted if the site goes down or starts redirecting somewhere strange.
Pay attention to Google Search Console, which will warn you if Google detects malware or hacked content on your site.
If you collect personal data, remember that under GDPR a serious data breach can carry a duty to notify the Estonian Data Protection Inspectorate, often within seventy-two hours. Knowing fast is not only good practice, it can be a legal obligation.
FAQ
Is a small business website really a target?+
Yes, but rarely on purpose. Almost all attacks on small sites are automated bots looking for any vulnerable site, not a person targeting you specifically. That is precisely why the basic, mechanical defences work so well against them.
Do I need a paid security plugin or service?+
Not necessarily. Updates, strong passwords with 2FA, backups, HTTPS and least privilege prevent most problems on their own. A reputable security plugin or a managed maintenance plan adds a useful layer, but it does not replace the basics.
What should I do if my site is already hacked?+
Take it offline or into maintenance mode, change all passwords, and restore from a clean backup from before the incident. Then find and close the hole that let them in, otherwise it will happen again. If customer data was exposed, check your GDPR notification duties.
