Website Security Checklist for Small Businesses
A practical website security checklist for small businesses: HTTPS, security headers, form protection, plugin updates, and the trust signals that visitors and search engines check.
Security isn't just for banks
Small business owners often assume their site isn't a target — that hackers go after banks and governments, not a plumbing company or a Shopify store with 200 products. The reality is the opposite. Automated attack tools don't discriminate by revenue; they scan the entire internet for known vulnerabilities, and small business sites are disproportionately likely to run outdated software with unpatched holes. The average cost of a small business data breach is over $150,000. The average cost of preventing one is a few hours of configuration.
Beyond active attacks, security has become a user experience issue. Browsers now show 'Not Secure' warnings for any page without HTTPS. Google confirmed HTTPS as a ranking signal years ago. And visitors — especially those about to enter payment information — make trust judgments based on security indicators they can see: the padlock, the domain name, the presence of a privacy policy. A security checklist isn't paranoia; it's basic maintenance.
HTTPS and TLS: the non-negotiable foundation
If your site isn't fully HTTPS, stop reading and fix that first. Everything else on this list is secondary. HTTPS encrypts data between the visitor's browser and your server, preventing interception of passwords, payment details, and personal information. It's also a prerequisite for HTTP/2, which makes your site faster, and for many modern browser APIs.
- Ensure every page loads over HTTPS — check for mixed content where the page is HTTPS but some images, scripts, or fonts load over HTTP
- Set up HTTP-to-HTTPS redirects: any request to http:// should redirect to https:// in a single 301 hop
- Verify your TLS certificate is valid and not within 30 days of expiry — expired certificates cause full-page browser warnings that stop all traffic
- Use TLS 1.2 or 1.3 — older versions have known vulnerabilities. Most modern hosting providers handle this by default, but verify
- If you use a CDN like Cloudflare, ensure full (strict) SSL mode is enabled, not 'flexible' — flexible mode leaves the connection between CDN and your server unencrypted
Security headers: one-line fixes with outsized impact
Security headers are instructions your server sends to the browser with every response, telling it how to handle your content. They're the closest thing to free security you'll find — each one takes a single line to configure and prevents entire categories of attacks.
- Strict-Transport-Security (HSTS): tells browsers to always use HTTPS, even if the user types http://. Set max-age to at least 1 year (31536000 seconds) and include includeSubDomains
- Content-Security-Policy (CSP): controls which domains can serve scripts, styles, images, and fonts on your pages. Even a basic policy prevents the most common cross-site scripting (XSS) attacks
- X-Content-Type-Options: nosniff — prevents browsers from guessing file types, which can turn an uploaded image into executable code
- X-Frame-Options: DENY or SAMEORIGIN — prevents your pages from being embedded in iframes on other sites, blocking clickjacking attacks
- Referrer-Policy: strict-origin-when-cross-origin — controls what URL information is shared when users click links to other sites. Prevents leaking internal URL paths
- Permissions-Policy: explicitly disable browser features you don't use (camera, microphone, geolocation) to reduce your attack surface
Forms, logins, and data handling
Every form on your site is a potential attack surface. Contact forms can be abused for spam injection. Login forms can be brute-forced. File upload fields can accept malicious executables. The protections here are well-established and worth implementing even if your site is simple.
- Add CAPTCHA or honeypot fields to all public forms — bots submit millions of spam entries daily, and unprotected forms are the first target
- Rate-limit login attempts: after 5 failures, add a delay or temporary lockout. This stops brute-force password attacks cold
- Never store passwords in plain text — use bcrypt or Argon2 hashing. If you're using a platform like Supabase, WordPress, or Shopify, this is handled for you
- Validate and sanitize all user input on the server side, not just in the browser. Client-side validation is a convenience for users; server-side validation is the actual security
- If you accept file uploads, restrict file types and scan uploaded files before processing them
Keeping your stack updated
The most common way small business sites get hacked isn't a sophisticated attack — it's a known vulnerability in outdated software that the owner never patched. WordPress plugins, JavaScript dependencies, server operating systems, and CMS versions all receive security updates that patch discovered vulnerabilities. Each unpatched update is an open door with published instructions on how to walk through it.
- Enable automatic updates for your CMS core, or check for updates at least monthly
- Audit installed plugins and apps quarterly — remove any you're not actively using. Each installed plugin is a potential vulnerability
- Subscribe to security advisories for your CMS platform (WordPress, Shopify, etc.) so you hear about critical patches immediately
- Keep your hosting environment updated — PHP version, Node.js version, and database software all have security implications
- Run regular backups and test restoration — a clean backup is your last line of defense if prevention fails
How to audit your security posture
WebEnture's Security & Trust Agent (/security-trust-agent) checks most of the items on this list automatically and for free — HTTPS status, security headers, mixed content, trust signals, and certificate validity — and produces a scored report with specific fix instructions. For a broader audit, pair it with the free website grader (/website-grader), which includes security as one of its six scoring categories.
Run a security audit at least quarterly, after any major site change, and immediately if you suspect a compromise. The best security audit is the one that finds nothing, because it means your previous work is holding. The second best is the one that catches a problem before your customers do.