Security without the technical overwhelm
Website security for a small business genuinely comes down to a small number of foundational practices using HTTPS, keeping the underlying software updated, choosing reasonably secure hosting, and maintaining working backups and ensuring whoever builds or maintains your site is actually implementing these, rather than assuming security is automatically and invisibly handled.
The four foundations explained simply
HTTPS (the padlock icon)
This means your website uses an encrypted connection, shown as a padlock icon in the browser address bar. Without it, browsers actively flag your site as "not secure," which damages visitor trust and confidence virtually every legitimate website today should have this, and most hosting providers include it at no extra cost through services like Let's Encrypt.
What to check: Visit your own website and confirm the padlock icon appears, with no "not secure" warning displayed.
Keeping software updated
If your website runs on a content management system like WordPress, the underlying software, along with any plugins and themes, regularly receives security updates patching known vulnerabilities. Skipping these updates leaves known, often publicly documented security gaps unaddressed covered in much greater technical detail in security updates that prevent hacks from our Web Maintenance pillar.
What to check: Confirm with whoever manages your website that updates are being applied regularly, not left to accumulate indefinitely.
Reasonably secure hosting
Not every hosting provider offers the same level of underlying security and reliability extremely cheap, unmanaged hosting sometimes lacks basic protections that more established providers include as standard.
What to check: Without needing deep technical knowledge, simply confirming your hosting provider is a reasonably established, reputable one (rather than an unknown, extremely low-cost option with no clear support or security track record) provides a meaningful baseline.
Working backups
A saved copy of your website that can be restored if something goes wrong a hack, a bad update, an accidental deletion covered in detail in website backups and why they save you from our Web Maintenance pillar.
What to check: Confirm backups are actually happening automatically, are stored somewhere independent of just the website's own server, and ideally have been tested at least once to confirm they genuinely work.
Why these four matter more than more advanced, technical security measures for most small businesses
A small business website is far more likely to be compromised through an automated attack exploiting an unpatched, known vulnerability than through a sophisticated, targeted attack meaning these foundational, relatively simple practices address the actual, realistic risk most small businesses face, without needing to understand or invest in more advanced enterprise-level security measures that address different, less common threat scenarios.
What a business owner should ask their web developer or agency directly
Is HTTPS active on our site? How often are software updates applied? What hosting provider are we using, and is it a reputable one? Are backups happening automatically, and have they been tested? These four direct questions, asked plainly, reveal whether basic security foundations are genuinely in place.
Frequently asked questions
No understanding that these four foundations should exist and asking direct, plain questions to confirm they are in place is sufficient for most business owners; the technical implementation is reasonably handled by a competent developer or agency.
This is typically included within a standard website maintenance retainer, covered in website maintenance cost and what's covered from our Web Maintenance pillar, rather than representing a large, separate expense.
The risk does not scale down proportionally with site traffic automated attacks scan broadly for known vulnerabilities regardless of how much traffic a specific site receives, meaning even a small, low-traffic business website carries genuine risk if these basics are neglected.