Here's the uncomfortable truth: 43% of cyberattacks target small businesses, and most of them succeed because of basic mistakes — not sophisticated hacking. An unlocked front door, not a heist movie.
You don't need to become a security expert. You need to get five things right. Think of them as layers of a shield — each one adds protection, and together they make your site a hard target instead of an easy one.
1. HTTPS everywhere
If your website URL starts with "http://" instead of "https://", you have a problem. The "s" stands for secure — it means the connection between your visitor's browser and your server is encrypted. Without it, anyone on the same network (like a coffee shop WiFi) can see what your visitors type, including passwords and credit card numbers.
Google also marks non-HTTPS sites as "Not Secure" right in the browser bar. That warning alone drives visitors away. And since 2014, Google has used HTTPS as a ranking signal — sites without it rank lower.
The fix: Most hosting providers offer free SSL certificates through Let's Encrypt. Log into your hosting dashboard and look for "SSL" or "Security." Enable it, then make sure your site redirects all http:// traffic to https://. This is usually a one-click setting. If you need a deeper dive, check our HTTPS guide.
2. Security headers
Security headers are invisible instructions your server sends to visitors' browsers. They say things like "don't let other sites embed my pages" and "only load scripts I've approved." Without them, your site is vulnerable to attacks where bad actors inject fake content or steal your visitors' information.
The most important ones are:
- X-Content-Type-Options — prevents browsers from guessing file types (which attackers exploit)
- X-Frame-Options — stops your site from being embedded in a fake page to trick visitors
- Strict-Transport-Security — forces HTTPS and prevents downgrade attacks
- Content-Security-Policy — controls which scripts and resources can run on your pages
The fix: These are set in your server configuration or hosting dashboard. Many hosts have a security section where you can enable them. If you're on WordPress, plugins like "Headers Security Advanced" add them in minutes. Learn more in our security headers guide.
3. No exposed files
This is one of the most common — and most dangerous — security mistakes. Developers often leave configuration files, backup files, or version control folders accessible on the live site. Files like .env (which often contains database passwords), .git/ (which contains your entire source code history), and wp-config.php.bak (a WordPress backup with database credentials) can be visited by anyone who knows to look.
Attackers use automated tools to check thousands of websites for these files. If yours are exposed, they can access your database, email accounts, API keys, and more. This is how data leaks happen — not through clever hacking, but through files that should never have been public.
The fix: Check if you can access yoursite.com/.env, yoursite.com/.git/, or yoursite.com/wp-config.php.bak. If any of them load, block access immediately through your server configuration or .htaccess file. Antileak scans for over 20 commonly exposed file types automatically.
4. Strong passwords and 2FA
The most common way attackers get into small business websites is the simplest: they guess the password. If your WordPress admin login is "admin" with the password "password123" (or your business name, or "123456"), it will be cracked — not by a human, but by a bot that tries thousands of common passwords per minute.
Two-factor authentication (2FA) adds a second step after your password — usually a code from your phone. Even if someone guesses your password, they can't get in without your phone. It's the single most effective thing you can do to prevent unauthorized access.
The fix: Use a password manager (1Password, Bitwarden) to generate and store unique passwords for every login. Enable 2FA on your hosting dashboard, CMS admin, domain registrar, and email. Most platforms have it built in — you just need to turn it on.
5. Keep everything updated
Outdated software is the #1 attack vector for small business websites. When WordPress, your theme, or a plugin releases an update, it often includes security patches for vulnerabilities that have been publicly disclosed. If you don't update, attackers know exactly which holes to exploit — because the patch notes tell them.
This isn't theoretical. The majority of hacked WordPress sites are running outdated plugins. One vulnerable plugin that you installed three years ago and forgot about can be the opening an attacker needs to take over your entire site.
The fix: Log into your CMS at least once a week and check for updates. Enable automatic updates for minor releases and security patches. Remove any plugins or themes you're not actively using — each one is a potential entry point. If you're on a paid tier, Antileak's daily monitoring catches outdated software and alerts you before it becomes a problem.
Why these five? Because they cover 90% of how small business sites actually get compromised. Sophisticated zero-day exploits make the news, but the reality is far more boring: missing HTTPS, exposed files, weak passwords, and outdated plugins. Fix the boring stuff and you've dramatically reduced your risk.
What happens when security fails
A compromised website doesn't just go down temporarily. Google may flag it as "dangerous" — which can take weeks to remove, even after you've fixed the problem. Your customers lose trust. If you handle any personal data, you may have legal notification obligations. And the cleanup cost typically runs $500–5,000 for a small business site.
The good news is that prevention is cheap and simple. The five layers above cost nothing except an hour or two of setup time. Your website health score includes a security component that checks all of these automatically — run a scan to see where you stand.