Website Security Checklist for Small Businesses (2026)

Why Small Businesses Are Targets

43% of cyber attacks target small businesses, and most succeed because of basic security gaps — not sophisticated hacking. Attackers use automated tools that scan thousands of websites per hour looking for common weaknesses. They don't care how big you are. They care how easy you are to break into.

The average cost of a data breach for a small business is over £30,000 when you factor in downtime, lost customers, and regulatory fines. The good news: most of these attacks are preventable with straightforward measures.

The 10-Point Checklist

1. SSL Certificate Is Valid and Not Expiring Soon

Your SSL certificate encrypts everything between your website and your visitors. If it expires, browsers show a scary warning page and most visitors will leave immediately. Check that yours is valid and set a reminder to renew it before it expires.

2. Every Page Loads Over HTTPS

Having an SSL certificate isn't enough — every single page needs to load over HTTPS. Check that HTTP requests automatically redirect to HTTPS, and that there's no "mixed content" (pages loading some resources over insecure HTTP).

3. Security Headers Are Set

Security headers tell browsers how to handle your content safely. The most important ones are Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options. Most websites are missing at least some of these — adding them is usually a one-line configuration change.

4. Cookies Are Secured

If your site uses cookies (and most do), they should have the Secure, HttpOnly, and SameSite flags set. Without these, attackers can steal session data or impersonate your users.

5. Server Information Is Hidden

Your server might be broadcasting its software version, operating system, or framework in HTTP headers. This is like leaving your house keys under the doormat — it tells attackers exactly which vulnerabilities to try. Remove or mask these headers.

6. Software and Plugins Are Up to Date

Outdated WordPress plugins, themes, and CMS versions are the single most common entry point for attackers. Set up automatic updates where possible, and check for updates at least monthly.

7. Admin Login Is Protected

Use strong, unique passwords. Enable two-factor authentication. Consider changing the default login URL (like /wp-admin) to something less obvious. Limit failed login attempts to prevent brute-force attacks.

8. Regular Backups Are Running

If the worst happens, backups are your insurance policy. Back up your entire site (files and database) at least weekly. Store backups somewhere separate from your hosting — if your server is compromised, your backups shouldn't be too.

9. Contact Forms Are Protected Against Spam

Unprotected forms can be used for spam, phishing, or even injection attacks. Add rate limiting and input validation. A simple honeypot field or CAPTCHA goes a long way.

10. You're Monitoring for Breaches

Even with everything locked down, breaches happen to third-party services you use. Regularly check whether your business email or domain has appeared in known data breaches. Early detection means you can change passwords and warn customers before damage spreads.

Common Mistakes

The Easy Way

You don't need to check all of this manually. AuditStack scans your website against these security checks (and more) in under 60 seconds. You get a score out of 100 with plain-English explanations and step-by-step fixes — no technical knowledge required.