A small business website gets hacked in boring ways: an out-of-date plugin, a reused admin password, a cheap host with no protection. The attackers almost never know or care who you are. Automated bots scan the whole internet for known weaknesses and walk into whatever they find. The good news is that the few habits that shut them out are well within reach of any small business.
First, understand how sites actually get hacked
Forget the image of a hacker targeting your company by name. The overwhelming majority of small business sites are compromised by automated scanning that looks for a known-vulnerable plugin, a weak or reused password, or unpatched software, and then exploits it at scale. That changes your job: your defence isn't secrecy or being too small to notice, it's simply not having the weaknesses the bots are hunting for.
Choose hosting that does some of the work for you
Where your site lives matters more than most owners think. A good managed host (or a reputable website platform) bundles in automatic updates, daily backups, a web application firewall, and malware scanning, which quietly removes most of the risk before you do anything. The bargain host that offers none of that is a false economy: you save a few dollars a month and inherit a security project. If you're not sure what your host includes, that's the first question to ask them.
Treat plugins and themes as your biggest risk
This is where most sites fall, because the vast majority of website break-ins come through plugins and themes rather than the core software. The rules are simple: install as few as possible, only from reputable sources, keep every one updated (turn on auto-updates), and delete anything you're not actively using. A plugin you don't use is pure risk with no benefit. And watch for plugins that go quiet or change hands: if one stops getting updates or is sold to a new owner, treat that as a prompt to find a maintained alternative, because abandoned and recently-sold plugins are exactly what attackers target.
Lock the front door (your logins)
Your admin login is the keys to the whole site. Use a strong, unique password on every admin account, turn on multi-factor authentication, give each person their own account rather than sharing one, and remove accounts the moment someone leaves. Keep the number of full administrators as small as possible; most people who help with the site need far less access than they have.
Turn on HTTPS and keep the basics current
A few things are simply table stakes now. HTTPS everywhere, using a free certificate from your host or Let's Encrypt, so traffic is encrypted and browsers don't warn visitors away from your site. And keep the software underneath current: the CMS, the PHP version, the server. You can see how your site looks from the outside, HTTPS, security headers, and more, with our free Website Security Checker.
Back it up, off-site
Assume the worst will happen eventually, because given enough time it usually does. Keep regular, automatic backups stored somewhere separate from the site itself, and confirm you can actually restore from them. A clean, recent backup is what turns a hacked website from a catastrophe into an afternoon of work. The same 3-2-1 backup thinking that protects your files applies to your site.
Have a plan for "the site got hacked"
Decide in advance what you'll do, so a bad morning doesn't become a bad week. The short version: take the site into maintenance mode, restore from a clean backup, change every password, update everything, and scan for leftover malicious files before you go live again. If customer personal data was exposed, remember you may have breach-notification obligations. Our guide on incident response covers the wider version of this for the whole business.