Most small business websites aren't hacked because someone targeted them personally. They're found by an automated bot scanning the internet for known weaknesses — and they have one. The patterns are predictable, which means you can check for them. Here's a 10-point checklist to see how exposed your website really is.
1. HTTPS is enforced everywhere
Your site should load over https:// with a valid certificate, and any http:// request should redirect to the secure version automatically. If a visitor can reach an unencrypted version of any page, that's a fail.
2. Security headers are set
Headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options and X-Content-Type-Options defend against whole classes of attack — clickjacking, content injection, protocol downgrade. Most small business sites ship with none of them. You can check yours in seconds at securityheaders.com.
3. The platform and plugins are up to date
WordPress core, themes and plugins — or whatever your site runs on — should be on current versions. Once a vulnerability is published, bots scan for unpatched sites within hours. Anything not updated in over a year is a red flag.
4. Unused plugins and themes are removed
Every plugin is code running on your site, and an inactive one still carries its vulnerabilities. If you're not using it, delete it — don't just deactivate it.
5. The admin login is protected
A strong, unique admin password and multi-factor authentication on the login that controls your whole website. Default usernames like "admin" should be gone.
6. Login attempts are limited
Without a limit, attackers can try thousands of password guesses — a "brute-force" attack. Rate-limiting or a login-protection plugin shuts this down.
7. You have working backups
Automatic, off-site backups that you've actually tested restoring. If the worst happens, a good backup is the difference between an afternoon's annoyance and losing your online presence entirely.
8. The site isn't leaking technical detail
Version numbers, directory listings, verbose error messages and exposed configuration files all hand attackers a map of how to get in. These should be locked down.
9. Forms are protected against spam and injection
Contact and search forms are a common entry point. They should validate input and have basic protection so they can't be abused to attack your database or flood your inbox.
10. You'd know if something changed
Some form of monitoring — uptime, file-change detection, or a security plugin — so a compromise doesn't sit unnoticed for weeks. You can't respond to what you can't see.
How did you score?
If you ticked all ten, you're in good shape. More realistically, most small business sites miss three or four — and the first few (HTTPS, headers, updates and MFA) are quick wins that remove the bulk of the risk.
Want a second pair of eyes? A Website Security Review checks your site against this list and more, and our free self-assessment covers your wider security posture. Either way, you'll know exactly where you stand — in plain English.