The security baseline for a small business site is simple: HTTPS everywhere, kept-current software, strong authentication, regular backups, and basic form and spam protection. You don't need enterprise security to be safe — you need the fundamentals done consistently, because most attacks are automated and target the easy, unpatched sites. Get the basics right and you're no longer low-hanging fruit. Here's the baseline I ship on every build.
What's the security baseline every site needs?
Five fundamentals: HTTPS on every page (encrypted by default), software and dependencies kept up to date, strong authentication on any admin or login, regular automated backups you can actually restore from, and spam and abuse protection on forms. That baseline stops the overwhelming majority of automated attacks. None of it is exotic — it's the consistent application of basics that most compromised sites simply skipped, then paid for later. If you do nothing else, do these five — they're the 80/20 of small business website security, and they close the doors automated attacks actually try.
Why are small business sites targeted?
Because attackers automate. Most attacks aren't a person choosing you — they're bots scanning the whole web for known vulnerabilities and weak passwords. Small sites get hit precisely because owners assume they're too small to bother with and leave the basics undone. That assumption is the vulnerability. You're not targeted for what you have; you're targeted for being an easy, unpatched door — and closing the easy doors removes you from the script. It's worth saying plainly: you won't be spared because you're small or "not interesting." Bots don't know or care what your business is; they know your software has a known hole, and that's enough. Being uninteresting is not a security strategy.
What are the most common weak points?
Outdated software with known holes, weak or reused admin passwords, no backups, unprotected forms that invite spam and injection, and missing HTTPS. Each is common and each is preventable. The pattern is always the same: not a sophisticated attack, but a basic safeguard that was never set up. Fixing these five removes the easy paths in — which is most of them, since automated attacks go for the easy path first and move on if it's closed. Two more worth naming: out-of-date plugins (each one is third-party code with its own vulnerabilities) and a lack of basic monitoring, so a breach goes unnoticed for weeks. You can't fix what you never see — even a simple uptime and integrity check shortens the time between "something's wrong" and "it's handled."
What should you do if your site is hacked?
Act fast and in order. Take the site offline or into maintenance mode so it can't harm visitors or spread, then restore from a clean backup from before the compromise — which only works if you've been keeping backups, the reason they're on the baseline. Change every password and rotate any keys, update everything to close the hole that let them in, and scan to confirm it's clean before going live again. Afterward, figure out how they got in and fix that specifically. The whole ordeal is far shorter and cheaper when backups and updates were already in place — recovery is where neglected security sends its bill.
Does HTTPS alone make a site secure?
No — HTTPS is necessary but not sufficient. It encrypts traffic between the visitor and your site, which protects data in transit and is required for trust and SEO, but it does nothing about an outdated plugin, a weak admin password, or an unprotected form. Plenty of hacked sites have a perfect padlock in the address bar. Treat HTTPS as the front-door lock: essential, and the easy first step — but real security is the whole baseline working together, not any single piece. A green padlock means the conversation is private, not that the building is safe.
How do I handle security on a build?
I ship the baseline by default — HTTPS, current dependencies, strong auth, backups, and form protection — on a modern stack that's secure out of the box, deployed on infrastructure like Vercel. It's part of my services and the same care as ongoing website maintenance. Security isn't a feature you bolt on later; it's the floor a site launches on, not a ceiling you reach for someday.
Related growth guides
See website maintenance explained, who owns your website code and data, and how to keep your website fast.
Want your site secure from day one? Tell me what you're building — I'll ship it on a safe baseline.
