Website security

Security that addresses the real threat

Nobody is targeting your business. That is the point people miss. The attacks that take small sites down are automated, indiscriminate, and looking for something unpatched. You are not chosen, you are scanned.

Website security for a small business is mostly four unglamorous things: HTTPS that works, a stack with nothing unpatched, accounts that cannot be trivially taken over, and protection at the edge against automated traffic. Get those right and you have addressed the overwhelming majority of what actually happens to small sites.

It is the deep end of website maintenance: most security failures are maintenance failures wearing a scarier name. If you are seeing a specific warning right now, start at website security problems, which explains what each one means.

What actually happens to small business sites

The threat model people imagine is a person deciding to attack them. The real one is a script that has never heard of them.

Automated scanning, constantly

Bots sweep the internet for known vulnerabilities in common software. A plugin advisory gets published, and exploitation of unpatched installs begins almost immediately, at scale, everywhere. The window between a patch existing and your site being probed for it is short. This is why "we will update it next quarter" is a decision, not a delay.

Credential attacks

Automated login attempts using passwords leaked from unrelated breaches. This works because the same password gets reused. If your site admin password is your email password, one breach at a company you have forgotten about is your site.

Your site as someone else's infrastructure

The goal is usually not to deface you. It is to use you quietly: host spam pages under your domain, send mail from your reputation, serve something to your visitors. A compromised site often looks completely normal to its owner for months. The first sign is frequently Google flagging you, and by then your domain reputation is already damaged, which hurts your email deliverability too.

The way in that is not the site

Your domain registrar account, your DNS, your hosting login, your email. Take over the registrar account and the site is irrelevant: they own where it points. This is why two-factor on the registrar and the host matters at least as much as anything on the site itself, and it is almost always the last thing anyone secures.

What actually reduces risk

  • HTTPS everywhere, certificate auto-renewing and verified. Including the www and non-www forms, with everything redirected to one canonical address.
  • Nothing unpatched. The single highest-value habit on this list, and the most neglected. Part of routine care.
  • Less installed software. Every plugin and integration is surface. The safest component is the one you removed.
  • Two-factor on everything that matters. Site admin, hosting, DNS, and especially the domain registrar. The registrar is the crown jewels and nobody treats it that way.
  • Unique passwords, in a password manager. Reuse is how credential attacks succeed. This is free and it is the highest-leverage thing you personally can do today.
  • Edge protection in front of the site. Cloudflare filtering the automated noise before it reaches your host. See Cloudflare management.
  • Backups you have actually restored from. Your real recovery plan when prevention fails, and prevention eventually fails.
  • Fewer admin accounts, and none belonging to people who left. Old accounts for departed staff and former developers are a standing open door.
  • Email authentication in place. SPF, DKIM and DMARC stop others sending as your domain. See business email.

What does not help as much as it is sold

Security is a market with a lot of theatre in it. Worth knowing where the money is wasted.

  • A security plugin over an unpatched stack. Adding software to defend software you have not updated. The patch was the fix.
  • Trust badges and seals. A picture of a padlock is a picture. It changes nothing about your security posture and any visitor who knows that trusts you slightly less.
  • Hiding the admin URL. Marginal. It stops the laziest scanners and nothing else. It is not a substitute for a real password and two-factor.
  • Monthly scan reports nobody reads. A report is not a fix. If nothing is done about what the scan found, you have bought a subscription to knowing you have a problem.
  • Anyone promising you cannot be hacked. Walk away. That is not a claim an honest person makes about any system.

How we approach it

  1. Find out what state you are actually in

    What is running, what is out of date, who has access, where DNS and the domain live, is HTTPS correct. Most of the risk is usually visible within the first hour, and it is usually boring.

  2. Fix the certificate and the redirects

    Any visitor seeing a warning is a visitor you have already lost, so this goes first regardless of what else is wrong.

  3. Close the accounts and access gaps

    Two-factor on the registrar, host and admin. Remove the accounts of people who are gone. This costs nothing and removes a genuine share of the risk.

  4. Patch and reduce

    Update what is current, remove what is not used. Less installed means less to defend, and it is permanent rather than a subscription.

  5. Put protection at the edge

    Cloudflare in front, absorbing the automated traffic before it costs you anything.

  6. Make the recovery real

    Backups off-site, retained usefully, and tested. Because prevention is a probability, not a guarantee.

Who this is for

  • Anyone whose site is showing a "not secure" or certificate warning
  • Businesses on a content system where nobody knows when it was last updated
  • Owners who cannot say who has admin access to their site or domain
  • Businesses that inherited a setup from a developer who is no longer reachable
  • Anyone who has been told by Google that something is wrong with their site

When this is not the right fit

  • Businesses needing malware forensics or incident response on an active breach. We are not that, and telling you so is more useful than taking the money.
  • Anyone needing penetration testing or a compliance audit. That is a specialist discipline and you should hire one.
  • Sites handling payments or storing customer financial data. We do not build payment systems and we are not the right people for that risk profile.
  • Anyone wanting a guarantee they cannot be compromised. Nobody can honestly sell that, and the offer itself is a warning sign.

What SolvenceHQ can help with

Most of what we do here is unglamorous and effective: current software, real passwords, locked-down accounts, working certificates, and something filtering the noise. The exciting-sounding parts matter far less than the boring ones.

  • Diagnose what a specific warning actually means, and how urgent it is
  • HTTPS, certificates and redirects fixed so the padlock is real
  • Hardening and removing what is installed but unused
  • Two-factor and access cleanup across site, host, DNS and registrar
  • Cloudflare protection in front of the site
  • Email authentication so nobody can send as your domain
  • Backups that are off-site, retained usefully, and tested
  • Keeping it current afterwards, via website care

Common questions

Why is my site showing a not secure warning?

Almost always the certificate: missing, expired, or issued for a name that does not match the address people are visiting. The classic version is a certificate for yourbusiness.com while visitors arrive at www.yourbusiness.com, or the reverse.

The other common cause is mixed content: the page loads over HTTPS but pulls an image or script over plain HTTP, so the browser downgrades the padlock. Both are fixable, usually quickly. More detail in website security problems.

Why would anyone attack a small business site? I have nothing worth stealing.

This is the most common and most costly misunderstanding on this page. Nobody chose you. Almost every attack on a small site is automated: bots scanning the whole internet for a known vulnerable plugin version, trying default logins, looking for anything unpatched. They do not know what your business is and they do not care.

What they want is not your data. It is your server and your domain reputation: somewhere to host spam pages, send mail from, or quietly serve something to your visitors. Your site is inventory, not a target. That is precisely why "we are too small to bother with" fails.

Do I need a security plugin?

Sometimes, and it is less important than the boring things. A security plugin on a site with an unpatched core and a plugin from 2019 is a lock on a door with no frame. The order that matters is: keep the stack current, remove what you do not use, use real passwords with two-factor on the admin accounts, then consider tooling.

Also worth saying: every plugin is itself code that can be vulnerable, including security plugins. More installed software is more surface. The most secure component is the one that is not there.

What if my site has already been hacked?

Tell us and we will look, but be aware of the limits: we are not a malware forensics firm and we will not pretend to be. What we can do is assess it honestly, work with your host, and in many cases the cleanest path is a rebuild from known-good sources rather than trying to pick an infection out of a codebase you can no longer trust.

That is not a sales pitch, it is the uncomfortable reality of a compromise: once someone has had access, you cannot easily prove what they left behind. If we think you need a specialist, we will tell you that instead of taking the work.

Is a static site more secure than WordPress?

Fewer moving parts, yes. No database to inject, no plugins to exploit, no admin login to brute force. The attacks that account for most compromises of small business sites simply do not have anything to grab hold of.

That does not mean invulnerable. Your DNS, your hosting account, your domain registrar and your email are all still targets, and those are frequently the softer way in. Security is not one decision about the site. See website development for when a static build is the right call.

Get a Quote

Seeing a warning, or just not sure?

Send us what you are seeing and the URL. We will tell you what it actually means, whether it is urgent, and what it takes to clear it.