Website security for small UK businesses: what you actually need to do

Most website security advice falls into two categories: terrifying statistics designed to sell you enterprise software, or vague platitudes about “staying safe online.” Neither is useful if you’re running a small business in the UK and just want to know what’s actually worth doing.

I’ve built and maintained websites for small businesses for over 10 years. Here’s what I tell my clients.

Start with HTTPS. If you haven’t already, stop reading and do this first.

Your site needs an SSL certificate. This is what puts the padlock in the browser bar and changes your URL from http:// to https://. Without it, Google will flag your site as “Not Secure” to visitors, and any data sent through your forms travels unencrypted.

The good news: most hosting providers include SSL for free now. If yours doesn’t, Let’s Encrypt provides free certificates. Your hosting company’s support team can set this up in 10 minutes.

How to check: Visit your site. Look at the address bar. If there’s a padlock, you’re fine. If there’s a warning triangle or “Not Secure” text, fix it today.

If you’ve got an older site that was originally built on http://, make sure all internal links and images have been updated to https://. Mixed content (some elements loading over http, some over https) will still trigger browser warnings. A quick way to check: open your site, right-click, choose “Inspect”, click the “Console” tab, and look for mixed content warnings.

Keep your CMS and plugins updated

If you’re on WordPress (and most small business sites are), outdated plugins are the single biggest security risk you face. Not sophisticated hackers. Not zero-day exploits. Just plugins that haven’t been updated in months with known vulnerabilities that automated bots scan for constantly.

Set WordPress core to auto-update. For plugins, I’d recommend checking for updates weekly and applying them promptly. Some people enable auto-updates for plugins too, but that occasionally breaks things, so it depends on how confident you are fixing issues.

Practical routine: Log into your WordPress admin every Monday morning. Click “Updates” in the sidebar. Apply everything. Takes 2 minutes. If something breaks after an update, your backups (see below) will save you.

Remove any plugins you’re not actively using. Every installed plugin is a potential entry point, active or not.

Use a password manager. Specifically these ones.

Stop reusing passwords. I know you do it. Everyone does until they get a password manager.

1Password (from £2.99/month) is what I use. It’s well-designed, works across all devices, and makes sharing passwords with a business partner straightforward.

Bitwarden (free, or £8/year for premium) is excellent if you want something open-source or don’t want to pay. The free tier covers everything most small businesses need.

Both generate strong random passwords for every site, fill them in automatically, and sync across your phone and laptop. The only password you need to remember is the master password for the manager itself.

Critical accounts to secure first: your domain registrar, your hosting account, your email, and your CMS admin login. If someone gets into any of these, they can take over your entire web presence.

Enable two-factor authentication (2FA) on every account that offers it. Your password manager, your email, your hosting. This means even if someone gets your password, they still can’t log in without your phone.

Back up your site properly

Backups are your insurance policy. If your site gets hacked, if an update breaks something, if your hosting provider has a catastrophic failure, you need to be able to restore everything.

The rule: at least one backup stored somewhere other than your web server. If your backups live on the same server as your website and that server gets compromised, your backups are gone too.

For WordPress, UpdraftPlus (free version) backs up to Google Drive, Dropbox, or Amazon S3 automatically. Set it to run weekly for most sites, daily if you’re running an e-commerce store.

Test your backups. At least once, go through the process of restoring from a backup to make sure it actually works. A backup you’ve never tested is a backup you can’t rely on.

Security headers cost nothing and take 5 minutes

Security headers are instructions your server sends to browsers telling them how to handle your site. They prevent a whole category of attacks and cost absolutely nothing to implement.

The important ones:

• Content-Security-Policy — controls what resources your site can load, preventing malicious script injection
• X-Frame-Options — stops your site being embedded in someone else’s page (used in clickjacking attacks)
• X-Content-Type-Options — prevents browsers from guessing file types incorrectly
• Strict-Transport-Security — forces HTTPS connections

If you’re on WordPress, the Headers Security Advanced & HSTS WP plugin handles this. If you’ve got a custom site, your developer can add these in a few minutes. If you’re a Bristol business and want me to set this up, it’s a quick job.

GDPR: what actually applies to your website

If your website collects any personal data from UK visitors (contact forms, email signups, analytics), GDPR applies to you. You don’t need a law degree to comply, but you do need to get a few things right.

Privacy policy. You need one. It needs to be specific to your business, not a generic template. It should say what data you collect, why, how long you keep it, and how people can request deletion.

Cookie consent. If you use Google Analytics, Facebook pixels, or any marketing cookies, you need to ask permission before loading them. A proper cookie banner that blocks these scripts until the user consents. Not a banner that just says “we use cookies” while loading everything anyway.

Contact forms. If you store form submissions, you’re storing personal data. Have a retention policy. Delete old submissions you no longer need.

Email marketing. If you have a mailing list, people need to have explicitly opted in. No pre-ticked boxes. And every email needs an unsubscribe link.

This isn’t legal advice and I’m not a solicitor. For anything complex, talk to someone who is. But for most small business websites, the above covers 90% of what you need.

What you probably don’t need

Enterprise security monitoring tools. If you’re a three-person business selling handmade candles, you don’t need a £200/month security operations centre. Cloudflare’s free tier, updated software, and good passwords cover most threats.

Penetration testing. Useful for complex web applications, overkill for a standard business website. Save the money and spend it on keeping things updated instead.

Cyber insurance. Worth considering once you’re storing significant customer data or processing payments, but not a priority for a basic brochure site.

The 30-minute monthly routine

This is what I recommend to my clients. Once a month, spend 30 minutes:

1. Log into WordPress and apply all updates
2. Check your backup logs — did the last few backups complete successfully?
3. Review your user accounts — remove anyone who shouldn’t have access
4. Run a quick malware scan (Wordfence free version handles this)

That’s it. Not glamorous, but it prevents the vast majority of problems I’ve seen in 10 years of building websites.

If something goes wrong

If you think your site’s been compromised: don’t panic, but act quickly.

Change your hosting and CMS passwords immediately from a clean device. Contact your hosting provider — most have security teams that can help identify and clean infections. Restore from your most recent clean backup. Once the site’s restored, update everything and check how the breach happened so it doesn’t repeat.

If customer data was accessed, you have 72 hours under GDPR to report the breach to the ICO. That clock starts from when you become aware of the breach, not from when it happened.

Got a website that needs a security check? Get in touch and I’ll have a look. I work with small businesses in Bristol and across the UK.