Domexo.Digital
SecurityCybersecurityHTTPSUpdated on

Website Security Essentials

Essential website security practices every business should implement.

Website security concept with shield and lock

Website security isn't optional. It protects your customers, your reputation, and your bottom line.

65% of UK businesses experienced at least one cyber attack in the past year[1], with recovery costs averaging £8,460 per incident. For Scottish SMEs, the impact can be devastating—many struggle to recover financially and operationally[2]. The good news? Most breaches are preventable with basic security practices.

This guide covers the essentials every business website needs, explained in plain English.

Why Website Security Matters

Let's be clear about what's at stake:

For you:

  • Customer data stolen or compromised
  • Website defaced or taken offline
  • Google blacklists your site
  • Legal liability for data breaches
  • ICO fines under UK GDPR
  • Loss of customer trust
  • Ransom demands

For your customers:

  • Credit card fraud
  • Identity theft
  • Personal information exposed
  • Malware infections on their devices

Real example: A small e-commerce site was hacked. Customer credit card data was stolen. The business faced £50,000 in fines, £15,000 in legal fees, and lost 80% of their customer base. They closed down within a year. Real impact: 33% of businesses hit by cyber attacks face regulatory fines that impact financial health[1]. Many also report difficulty attracting new customers (29%), higher notification costs (29%), and employee stress (39%).

Don't let this be you. The NCSC's Small Business Guide[2] shows these breaches are preventable with five basic steps.

The Foundation: HTTPS and SSL Certificates

HTTPS padlock icon in browser

HTTPS is the padlock icon you see in your browser. It encrypts data between your website and visitors.

Why HTTPS Matters

Without HTTPS:

  • Passwords sent in plain text (readable by anyone)
  • Form data can be intercepted
  • Google labels your site "Not Secure"
  • Lower search rankings
  • Modern browsers warn visitors away

With HTTPS:

  • All data encrypted
  • Customer confidence
  • Better SEO
  • Required for modern features (geolocation, camera access, etc.)

Getting HTTPS

Cost: Free (thanks to Let's Encrypt)

How to set it up:

  1. Contact your hosting provider
  2. Request SSL certificate installation
  3. Update your site to use HTTPS
  4. Set up redirects from HTTP to HTTPS
  5. Update all internal links

Most hosts can do this in under 10 minutes. If yours can't, switch hosts.

Advanced: HSTS

HTTP Strict Transport Security (HSTS) tells browsers to only access your site via HTTPS, ever.

To enable: Add this to your server configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Most hosting control panels have an option to enable this. Look for "Force HTTPS" or "HSTS."

Keep Everything Updated

Outdated software is the #1 way websites get hacked.

What Needs Updating

WordPress sites (or other CMS):

  • WordPress core
  • Themes
  • Plugins
  • PHP version

Custom sites:

  • Server software
  • Dependencies and libraries
  • Application code

How Often to Update

Security updates: Immediately (within 24 hours) Minor updates: Weekly Major updates: Test first, then deploy within a month

Making Updates Safer

Before updating:

  1. Backup your site (always, no exceptions)
  2. Check for compatibility issues
  3. Test on a staging site first if possible
  4. Schedule during low-traffic times

After updating:

  • Test key functionality
  • Check for errors
  • Monitor performance

Automatic Updates

Pros:

  • Never miss security patches
  • Hands-off approach
  • Better than not updating

Cons:

  • May break things
  • No testing before deployment

Our recommendation: Enable automatic updates for:

  • Security patches
  • Minor core updates

Manually test and deploy:

  • Major version updates
  • Theme updates
  • Plugin updates (especially if custom)

Strong Authentication

Weak passwords are like leaving your front door open.

Password Requirements

Minimum standards:

  • 12+ characters
  • Mix of uppercase, lowercase, numbers, symbols
  • No dictionary words
  • Unique to each site/service

Better: Use a password manager (1Password, Bitwarden, LastPass) to generate and store truly random passwords like: X9#mK2$pL4@nQ7^sW1

Two-Factor Authentication (2FA)

Even if someone gets your password, 2FA stops them.

How it works:

  1. Enter username and password
  2. Enter code from phone app or SMS

Setting up 2FA:

  • WordPress: Install "Two Factor Authentication" plugin
  • Other platforms: Enable in security settings
  • Use an authenticator app (Authy, Google Authenticator)

Who needs 2FA: Everyone with admin access (no exceptions).

Limiting Login Attempts

Hackers use bots to try thousands of passwords. Stop them.

Install a plugin that:

  • Limits login attempts (3-5 tries)
  • Temporarily blocks IP addresses after failed attempts
  • Sends alerts for suspicious activity

WordPress plugins:

  • Wordfence
  • Sucuri Security
  • Limit Login Attempts Reloaded

Regular Backups: Your Safety Net

Backups won't prevent problems, but they'll save you when things go wrong.

What to Backup

Full backups include:

  • All website files
  • Complete database
  • Configuration files
  • Email (if hosted with your site)

Backup Frequency

E-commerce sites: Daily (you can't afford to lose orders) Blogs with frequent updates: Daily Infrequently updated sites: Weekly Static sites: After every change

Where to Store Backups

Never store ONLY on the same server as your website. If the server is compromised or fails, you lose everything.

Backup storage options:

  • Cloud storage (Google Drive, Dropbox, Backblaze)
  • Separate backup service (VaultPress, BlogVault)
  • Local storage (external hard drive)

Best practice: Keep backups in three places:

  1. On your web server (for quick restores)
  2. In the cloud (offsite protection)
  3. Local drive (offline protection)

Testing Backups

A backup you've never tested is just wishful thinking.

Test quarterly:

  1. Download a backup
  2. Restore it to a test environment
  3. Check that everything works
  4. Document any issues

Automated Backups

Don't rely on remembering to backup.

Backup solutions:

  • UpdraftPlus (WordPress, free)
  • BlogVault (WordPress, paid)
  • Most hosting providers include automatic backups
  • Custom scripts for developer-built sites

Check your backups:

  • Are they actually running?
  • Are they completing successfully?
  • Are they stored offsite?

Firewall and Security Monitoring

A firewall blocks malicious traffic before it reaches your site.

Web Application Firewall (WAF)

What it does:

  • Filters malicious traffic
  • Blocks known attack patterns
  • Prevents brute force attacks
  • Stops DDoS attacks

Options:

Cloudflare (Free):

  • Basic DDoS protection
  • CDN (speeds up your site)
  • Free SSL certificate
  • Takes 15 minutes to set up

Sucuri (£200/year):

  • Advanced malware scanning
  • Incident response team
  • Website firewall
  • DDoS mitigation

Wordfence (WordPress):

  • Free and premium versions
  • Firewall
  • Malware scanner
  • Login security

Security Monitoring

Know about problems before your customers do.

What to monitor:

  • Failed login attempts
  • File changes
  • Malware scans
  • Uptime/downtime
  • Database queries

Tools:

  • Wordfence (WordPress)
  • Sucuri Site Check (free scans)
  • Google Search Console (security issues)
  • UptimeRobot (monitors if site is up)

Setting Up Alerts

Get notified immediately for:

  • Multiple failed logins
  • File modifications
  • Malware detected
  • Site down
  • Suspicious traffic patterns

Don't wait to check—let the system tell you.

Secure Hosting

Your hosting provider is your foundation. Cheap hosting often means cutting security corners.

What Secure Hosting Provides

Minimum requirements:

  • Regular security patches
  • Firewall protection
  • Malware scanning
  • SSL certificates
  • Daily backups
  • DDoS protection

Warning signs of bad hosting:

  • Shared hosting with thousands of sites
  • No security features mentioned
  • £2/month pricing
  • Outdated PHP/server software
  • No support when hacked

Recommended Hosts

Budget (£5-15/month):

  • SiteGround
  • Cloudways
  • Kinsta (managed WordPress)

What you get: Better security, faster loading, actual support when you need it.

Cost of cheap hosting: A £3/month host might save you £100/year. But one security breach costs £5,000+ in cleanup, lost sales, and reputation damage.

Worth the extra £10/month? Absolutely.

Protect Against SQL Injection

SQL injection is when hackers insert malicious code into your database queries.

What This Looks Like

Instead of searching for "pottery," someone searches for:

'; DROP TABLE users; --

If your code isn't protected, this could delete your user database.

Protection

If using WordPress or another CMS: It's protected by default (if you're updated).

If custom-built: Always use parameterized queries or prepared statements.

Bad (vulnerable):

$query = "SELECT * FROM users WHERE email = '" . $_POST['email'] . "'";

Good (protected):

$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $_POST['email']]);

Never directly insert user input into database queries.

Cross-Site Scripting (XSS) Prevention

XSS is when hackers inject JavaScript into your pages.

How It Works

Someone posts a comment like:

<script>
  // Code that steals visitor cookies/data
</script>

If you display this comment without sanitizing it, the script runs on every visitor's browser.

Protection

Escape all user input before displaying it:

PHP:

echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');

JavaScript: Use textContent instead of innerHTML

WordPress: Use esc_html(), esc_attr(), etc.

Rule: Never trust user input. Ever.

Protect Your Admin Area

Make it harder to find and access.

Change Default URLs

WordPress default: yoursite.com/wp-admin Problem: Every hacker knows this

Solution: Use a plugin to change it

  • WPS Hide Login
  • iThemes Security

IP Whitelisting

Only allow admin access from specific IP addresses.

Good for:

  • Sites managed from office/home
  • Limited number of admins

How to implement: Add to .htaccess or server config:

Order Deny,Allow
Deny from all
Allow from YOUR.IP.ADDRESS

Regular Security Audits

Check quarterly:

  • User accounts (remove old ones)
  • Plugin list (delete unused ones)
  • File permissions
  • Database security
  • Backup status

What to Do If You're Hacked

Despite best efforts, it might still happen. Here's your response plan:

Immediate Actions (First Hour)

  1. Take the site offline
    • Put up a maintenance page
    • Prevents further damage
  2. Change ALL passwords
    • Hosting account
    • Database
    • Admin accounts
    • FTP/SFTP
    • Email
  3. Scan for malware
    • Use Sucuri Site Check
    • Run local malware scan
    • Check all files for modifications
  4. Contact your host
    • They may have backups
    • Can help identify breach point

Recovery (First 24 Hours)

  1. Restore from clean backup
    • Use backup from before the hack
    • Don't use compromised files
  2. Update everything
    • All software to latest versions
    • Close the security hole
  3. Security audit
    • How did they get in?
    • Close that vulnerability
    • Check for backdoors
  4. Test thoroughly
    • Make sure everything works
    • Scan again for malware

After Recovery

  1. Monitor closely
    • Check logs daily for a week
    • Watch for suspicious activity
  2. Notify affected parties
    • If customer data was compromised
    • Required by law in UK/EU (GDPR)
  3. Implement additional security
    • Learn from what happened
    • Add layers you were missing

Essential Security Checklist

Set up now (1-2 hours):

  • Enable HTTPS
  • Install SSL certificate
  • Set up automatic backups
  • Enable two-factor authentication
  • Install security plugin/firewall
  • Update all software
  • Change default admin URL
  • Use strong, unique passwords

Monthly tasks (15 minutes):

  • Review security alerts
  • Check for available updates
  • Test backup restore
  • Review user accounts

Quarterly tasks (1 hour):

  • Full security audit
  • Test all contact forms
  • Review and update security measures
  • Check for outdated plugins/themes

Tools and Resources

Essential (Free):

  • Cloudflare (CDN & basic firewall)
  • Let's Encrypt (SSL certificates)
  • Wordfence or Sucuri (security plugin)
  • UpdraftPlus (backups)

Premium (Worth It):

  • Sucuri (£200/year, comprehensive)
  • VaultPress (£100/year, backups + security)
  • 1Password (password management)

Testing Tools:

  • SSL Labs (test your SSL setup)
  • Sucuri Site Check (malware scan)
  • Mozilla Observatory (security grade)

The Bottom Line

Website security isn't a one-time setup—it's ongoing maintenance.

But the basics aren't complicated:

  1. Use HTTPS
  2. Keep everything updated
  3. Use strong passwords and 2FA
  4. Backup regularly
  5. Monitor for issues

Spend 30 minutes setting this up properly now, and you'll avoid thousands in costs and headaches later.

Most breaches happen to sites with basic security holes. Don't be low-hanging fruit.

Need help securing your website? Get in touch – we'll audit your security and help you lock things down properly.

Need Help With Your Project?

We help small businesses succeed online.

Get In Touch

References

  1. Reference 1
    1.Hiscox Cyber Readiness Report 2025
    https://www.hiscox.co.uk/cyber-readiness-report
  2. Reference 2
    2.National Cyber Security Centre (NCSC). Small Business Guide: Cyber Security
    https://www.ncsc.gov.uk/collection/small-business-guide

DIY Website Photography & Video: Essential Equipment Guide for Scottish Businesses

Quality photos and videos don't require expensive gear. Here's exactly what you need to create professional-looking content without a massive budget.

SEO Best Practices for Small Businesses in Scotland

Practical tips that small businesses can implement to improve their online visibility and attract more customers.