I got a call at 7 AM on a Tuesday from a client who ran a small accounting firm. “Our website is showing pharmaceutical ads,” she said, her voice somewhere between confused and panicked. “We don’t sell pharmaceuticals.”
I pulled up her site, and sure enough, every page had been injected with hidden links and pop-ups advertising products that had absolutely nothing to do with accounting. Her WordPress site had been compromised through a contact form plugin that hadn’t been updated in eleven months. The attacker hadn’t stolen data or taken the site down — they’d used it as a platform to boost their own SEO through injected spam links. Her site’s search rankings had already tanked because Google had flagged it as compromised.
It took three days to fully clean the infection, restore from a backup, patch the vulnerability, and submit a reconsideration request to Google. During those three days, her website was offline. Potential clients searching for accounting services in her area found competitors instead. The total cost of the incident — cleanup, lost business, reputation damage — far exceeded what basic security measures would have cost in the first place.
This story isn’t unusual. It happens to small businesses every single day. And the frustrating part is that most of these attacks are entirely preventable with straightforward security practices that don’t require a computer science degree or a massive budget.
Why Small Businesses Are Prime Targets
There’s a dangerous misconception that hackers only go after big companies. “Why would anyone target my little business?” I hear this constantly. The reality is exactly the opposite. Small businesses are preferred targets for several reasons.
First, the attacks are automated. Hackers don’t sit at keyboards personally targeting your website. They write scripts that scan millions of websites looking for known vulnerabilities. Your small accounting firm’s website isn’t being personally targeted — it’s being swept up in a massive automated net along with thousands of other sites. The bot doesn’t know or care how big your business is. It just found a vulnerability and exploited it.
Second, small businesses typically have weaker security. Large enterprises have dedicated IT security teams, enterprise firewalls, intrusion detection systems, and security budgets that run into millions. A small business usually has none of that. The website was built two years ago, nobody’s checked on the plugins since, and the admin password is the owner’s dog’s name followed by “123.” From an attacker’s perspective, that’s low-hanging fruit.
Third, small businesses often handle valuable data without realizing it. Customer email addresses, phone numbers, contact form submissions, payment information (if you do any e-commerce), employee records — this data has value on the dark web. A single customer database with names and email addresses can be sold or used for phishing attacks.
Fourth, small businesses are less likely to detect a breach quickly. Enterprise companies have monitoring systems that alert them within minutes of unusual activity. A small business owner might not notice their site has been compromised for weeks or months, giving attackers plenty of time to extract value.
Common Attack Types You Need to Understand
You don’t need to understand the technical details of every attack vector, but you should know the basics of what you’re protecting against.
SQL Injection is one of the oldest and still most common attack types. It works by inserting malicious database commands through input fields on your website — contact forms, search boxes, login pages. If your site doesn’t properly validate and sanitize user input, an attacker can manipulate your database. They can read sensitive data, modify records, delete content, or even take control of the server. Properly parameterized database queries prevent this entirely.
Cross-Site Scripting (XSS) involves injecting malicious JavaScript into your web pages. When other visitors load the affected page, the script runs in their browser. It can steal login cookies, redirect users to phishing sites, or modify the page content. XSS attacks exploit websites that display user-generated content without properly sanitizing it. Every piece of user input that gets displayed on your site needs to be escaped and sanitized.
Brute Force Attacks are the simplest to understand. Bots try thousands of username and password combinations against your login page until they find one that works. If your admin password is weak, this is trivially easy. The attack takes advantage of the fact that many people use simple, predictable passwords. Rate limiting login attempts and using strong passwords stops brute force attacks cold.
Phishing targets people rather than technology. An attacker sends an email that looks like it’s from your hosting provider, domain registrar, or CMS platform, asking you to “verify your account” or “update your payment method.” The link goes to a fake login page that captures your credentials. Once they have your hosting or CMS login, they own your website. No amount of technical security protects against a team member handing over credentials to a convincing phishing email.
DDoS (Distributed Denial of Service) attacks flood your website with so much traffic that legitimate visitors can’t get through. Your server gets overwhelmed and either slows to a crawl or goes completely offline. DDoS attacks are less common against small businesses but can happen, especially if your business operates in a competitive niche where someone might want to take your site down temporarily.
Essential Security Measures: The Non-Negotiables
SSL/HTTPS: Encrypting the Connection
If your website is still on HTTP instead of HTTPS, stop reading this article and fix that first. I’m serious. SSL certificates encrypt the connection between your visitors’ browsers and your server. Without it, any data transmitted — form submissions, login credentials, payment details — can be intercepted by anyone on the same network.
Beyond security, HTTPS is now a baseline expectation. Chrome, Firefox, and other browsers display “Not Secure” warnings on HTTP sites. Google uses HTTPS as a ranking signal. Visitors see the warning and leave. It’s 2026 — there is zero excuse for not having SSL. Most hosting providers offer free SSL certificates through Let’s Encrypt. If your host doesn’t, that’s a sign you need a better host.
Strong Passwords and Two-Factor Authentication
I wish I didn’t have to include this section, but the reality is that weak passwords remain one of the most common entry points for attackers. Every account associated with your website — hosting control panel, CMS admin, FTP, database, email — needs a strong, unique password.
A strong password is at least 16 characters long and includes a mix of uppercase letters, lowercase letters, numbers, and special characters. Better yet, use a passphrase — a string of four or five random words. Something like “correct horse battery staple” is both easier to remember and harder to crack than “P@ssw0rd!23.”
Use a password manager. I recommend Bitwarden (free and open-source) or 1Password. A password manager generates and stores unique passwords for every account, so you only need to remember one master password. This eliminates the temptation to reuse passwords across sites, which is one of the most dangerous habits in cybersecurity.
Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if someone obtains your password through a data breach or phishing attack, they can’t log in without the second factor — typically a code from an authenticator app on your phone. Enable 2FA on every account that supports it. Your hosting panel, CMS, email, domain registrar — all of them.
Keeping Software Updated
The accounting firm I mentioned at the beginning was compromised through an outdated plugin. This is the most common attack vector for CMS-based websites, and it’s entirely preventable.
Software updates aren’t just about new features. They frequently include patches for known security vulnerabilities. When a vulnerability is discovered and patched, the details are published. Attackers read these announcements and immediately start scanning for sites that haven’t applied the update. The window between a vulnerability being disclosed and attackers exploiting it is shrinking — sometimes just hours.
If you’re on WordPress, this means updating WordPress core, every plugin, and your theme regularly. Set up auto-updates for minor releases. For major updates, test on a staging environment first. And for the love of your business, delete plugins you’re not using. Deactivated plugins with known vulnerabilities can still be exploited.
If you’re on a custom-built site, make sure your server software (PHP, Node.js, Python, whatever runtime you use), web server (Apache, Nginx), and any dependencies are kept current. Subscribe to security advisories for your technology stack.
File Permissions
File permissions determine who can read, write, and execute files on your server. Incorrect permissions are a silent security risk — everything works fine until someone exploits them.
The general rule is to use the most restrictive permissions that allow your site to function. Directories should typically be set to 755 (owner can read, write, execute; everyone else can only read and execute). Files should be 644 (owner can read and write; everyone else can only read). Configuration files that contain database credentials or API keys should be 600 (only the owner can read and write).
Never set anything to 777 (full permissions for everyone). I’ve seen hosting support forums where the answer to “I’m getting a permission error” is “just set it to 777.” That’s like solving a lock problem by removing all the doors from your house. It works, but now anyone can walk in.
Backup Strategy: Your Safety Net
Backups don’t prevent attacks, but they determine how quickly you recover from one. Without backups, a successful attack can mean rebuilding your entire website from scratch. With proper backups, it’s a restore operation that takes minutes to hours instead of days to weeks.
Follow the 3-2-1 backup rule. Keep three copies of your data. Store them on two different types of media (for example, your server and a cloud storage service). Keep one copy offsite (not on the same server as your website). This protects against not just hacking but also server failures, hosting provider issues, and accidental deletion.
Automate your backups. If backup depends on someone remembering to do it manually, it won’t happen consistently. Set up automated daily backups and verify them periodically by actually restoring from a backup to a test environment. I’ve seen businesses with backup systems that had been silently failing for months. The time to discover your backup is broken is not when you desperately need to restore from it.
Keep multiple backup versions. Don’t just keep the most recent backup. If your site was compromised two weeks ago and you only have yesterday’s backup, that backup contains the compromised files. Keep at least 30 days of daily backups so you can restore from before the breach occurred.
Web Application Firewall and Security Headers
A Web Application Firewall (WAF) sits between the internet and your website, monitoring and filtering incoming traffic. It blocks known attack patterns — SQL injection attempts, XSS payloads, malicious bot traffic — before they reach your server. Think of it as a bouncer at the door who checks everyone before they come in.
Cloudflare is the most accessible WAF for small businesses. Their free tier includes basic WAF protection, DDoS mitigation, and a CDN that also improves your site’s performance. The paid plans add more advanced security features. For most small businesses, the free or Pro plan provides excellent protection at minimal cost.
Security headers are HTTP response headers that tell browsers how to behave when handling your site’s content. They’re configured on your server and add important security layers.
Content-Security-Policy (CSP) tells the browser which sources of content are allowed to load on your page. This prevents XSS attacks by blocking unauthorized scripts. If an attacker injects a script tag that tries to load code from their server, the browser refuses because that server isn’t in your CSP whitelist.
X-Frame-Options prevents your site from being embedded in an iframe on another site. This stops clickjacking attacks where an attacker overlays your site with invisible elements to trick users into clicking something they didn’t intend to.
Strict-Transport-Security (HSTS) tells browsers to always use HTTPS when connecting to your site, even if someone types HTTP. This prevents downgrade attacks where an attacker forces a connection over unencrypted HTTP.
X-Content-Type-Options set to “nosniff” prevents browsers from MIME-type sniffing, which can be exploited to execute malicious files disguised as harmless ones.
These headers cost nothing to implement — they’re just configuration entries on your server — and they significantly harden your site against common attacks.
Monitoring and Alerts: Detecting Problems Early
The faster you detect a security incident, the less damage it causes. Set up monitoring so you’re notified when something unusual happens.
Google Search Console is free and alerts you if Google detects malware, security issues, or manual penalties on your site. Every website owner should have this set up. If Google flags your site, you’ll know within hours instead of discovering it weeks later when a customer tells you.
Uptime monitoring services like UptimeRobot (free tier available) check your site every few minutes and alert you if it goes down. A sudden outage could indicate an attack, a server problem, or a hosting issue. Knowing immediately lets you respond quickly.
File integrity monitoring watches for unexpected changes to your website’s files. If a core file is modified without a corresponding update, that could indicate malicious code injection. WordPress security plugins like Wordfence include this feature. For custom sites, you can set up file hash comparison scripts that run daily.
Login attempt monitoring tracks who’s trying to access your admin area. If you see hundreds of failed login attempts from various IP addresses, you’re under a brute force attack. This is normal for any website on the internet, but monitoring it helps you confirm that your rate limiting and strong passwords are doing their job.
Review your access logs periodically. They tell you who’s visiting your site, what they’re requesting, and where they’re coming from. Unusual patterns — like thousands of requests to your login page, repeated requests for non-existent URLs, or traffic spikes from a single IP — can indicate an attack or a vulnerability scan in progress.
What to Do If You Get Hacked
Despite your best efforts, breaches can happen. Having a response plan means the difference between a contained incident and a catastrophe.
Step 1: Take the site offline immediately. Put up a maintenance page. This prevents further damage, protects your visitors from malware or phishing, and stops the attacker from accessing the site while you work on cleanup. Yes, being offline hurts your business. Being online and serving malware to your customers hurts it more.
Step 2: Contact your hosting provider. They deal with compromised sites regularly and may have tools, logs, or backups that help. Some providers will perform malware scans and cleanup as part of their support. At minimum, they can provide server access logs that help identify how the breach occurred.
Step 3: Change all passwords. Every single one. Hosting panel, CMS admin, FTP, database, associated email accounts, domain registrar. Assume every credential has been compromised. Generate new passwords from a clean device — not from a computer that might also be compromised.
Step 4: Identify the attack vector. How did they get in? Check server logs, review recently modified files, look for unfamiliar user accounts. Understanding the entry point is critical so you can close it before restoring the site. If you restore without fixing the vulnerability, you’ll be hacked again within days.
Step 5: Restore from a clean backup. Restore a backup from before the breach occurred. If you don’t have clean backups, you’ll need to manually clean every infected file. This is time-consuming and error-prone — it’s easy to miss hidden backdoors that let the attacker return.
Step 6: Scan, verify, and harden. Scan the restored site thoroughly for any remaining malicious code. Apply all pending updates. Remove unnecessary plugins, themes, or files. Implement the security measures in this article that were missing before. Then bring the site back online.
Step 7: Notify affected parties. If customer data was potentially accessed, you may have legal obligations to notify them depending on your jurisdiction (GDPR in Europe, various state laws in the US). Even if not legally required, transparency builds trust. A brief, honest notification that explains what happened, what data was affected, and what you’ve done to prevent it from happening again is far better than hoping nobody notices.
Security as Ongoing Maintenance
Website security isn’t a one-time project. It’s an ongoing practice, just like locking your office doors or updating your antivirus software. The threat landscape evolves constantly, and your defenses need to evolve with it.
Build security into your regular website maintenance routine. Monthly, review and apply updates. Quarterly, audit your user accounts and access permissions. Annually, review your entire security posture — are your backup procedures working? Are your passwords still strong? Have new vulnerabilities been disclosed for your technology stack?
If this feels overwhelming, you’re not alone. Most small business owners didn’t get into business to manage web server security. That’s why many choose to work with a professional team that handles security as part of ongoing website maintenance. Whether you handle it yourself or hire help, the important thing is that it gets done consistently.
The client whose story I opened with? After the cleanup, we implemented every measure in this article. That was over two years ago. She hasn’t had a security incident since. The monthly cost of proper maintenance is a fraction of what that single breach cost her. That’s the math of website security — prevention is always cheaper than recovery.
Frequently Asked Questions
How do I know if my website has been hacked?
Common signs include unexpected redirects to other websites, new admin accounts you didn’t create, unfamiliar files or code in your directories, a sudden drop in search rankings, Google warnings about malware, unusually slow performance, and spam content appearing on your pages. Set up monitoring tools like Google Search Console to get alerts about security issues early.
Is an SSL certificate really necessary for a small business website?
Yes, absolutely. SSL encrypts data between your visitors and your server, protecting login credentials, contact form submissions, and any personal information. Beyond security, browsers mark non-HTTPS sites as “Not Secure,” which drives visitors away. Google also uses HTTPS as a ranking signal. Most hosting providers include free SSL certificates through Let’s Encrypt.
How often should I back up my website?
At minimum, back up daily if your site has dynamic content like blog posts, e-commerce orders, or user submissions. For static sites that change infrequently, weekly backups are usually sufficient. Always create a manual backup before making any major changes. Follow the 3-2-1 rule: three copies, on two different media types, with one stored offsite.
What is a WAF and do I need one?
A Web Application Firewall monitors and filters HTTP traffic between the internet and your website. It blocks common attacks like SQL injection, cross-site scripting, and malicious bot traffic before they reach your server. For any business website that handles customer data or transactions, a WAF is strongly recommended. Cloudflare offers a free tier that includes basic WAF protection.
Are WordPress websites less secure than custom-built ones?
WordPress is not inherently insecure, but its popularity makes it the most targeted CMS. The majority of WordPress breaches come from outdated plugins and themes, not WordPress core itself. A properly maintained WordPress site with minimal plugins, regular updates, and strong passwords can be quite secure. Custom-built sites have a smaller attack surface but require equally diligent security practices.
What should I do immediately if my website gets hacked?
First, take the site offline to prevent further damage and protect visitors. Then contact your hosting provider — they may have tools or backups to help. Change all passwords including hosting, CMS admin, FTP, and database credentials. Restore from a clean backup if available. Scan all files for malicious code. Once clean, identify how the breach happened and fix the vulnerability before going live again.