Your website is your digital storefront. And just like you'd lock the doors of a physical shop, you need to secure your website against threats. The scary part? Most small business websites get hacked not because of sophisticated attacks, but because of basic security gaps that are easy to fix.
This checklist covers the essential security measures every business owner should have in place — no deep technical knowledge required.
Why Website Security Matters
Before diving into the checklist, here's why you should care:
- 43% of cyberattacks target small businesses
- The average cost of a data breach for small businesses is $120,000-$200,000
- Google blacklists ~10,000 websites daily for malware
- 60% of small businesses close within 6 months of a cyberattack
Website security isn't optional — it's a business necessity.
The Essential Security Checklist
1. Install an SSL Certificate ✅
What it does: Encrypts data between your visitors' browsers and your server.
Why it matters: Without SSL, login credentials, payment info, and personal data are sent in plain text — anyone on the same network can intercept them. Plus, Google penalizes non-HTTPS sites in search rankings.
How to do it:
# If using Let's Encrypt (free SSL)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Auto-renewal
sudo certbot renew --dry-run
Most hosting providers (including DeployBase) offer free SSL certificates with one-click installation.
Check: Visit your site — do you see a padlock icon in the browser? If not, fix this today.
2. Keep Everything Updated ✅
What it does: Patches known security vulnerabilities.
Why it matters: Outdated software is the #1 way websites get hacked. When a vulnerability is discovered and patched, hackers immediately start scanning for sites that haven't updated.
Update checklist:
- CMS (WordPress, Joomla, etc.)
- All plugins and extensions
- Themes and templates
- PHP version
- Server operating system
Pro tip: Enable automatic updates for minor/security releases:
// WordPress wp-config.php
define('WP_AUTO_UPDATE_CORE', 'minor');
3. Use Strong Passwords and 2FA ✅
What it does: Prevents unauthorized access to your admin panel.
Why it matters: "admin/password123" is still shockingly common. Brute force attacks try thousands of password combinations per minute.
Requirements for strong passwords:
- Minimum 16 characters
- Mix of uppercase, lowercase, numbers, and symbols
- Unique for every account
- Stored in a password manager (1Password, Bitwarden)
Enable Two-Factor Authentication (2FA):
- WordPress: Install the "Two Factor" or "WP 2FA" plugin
- Use an authenticator app (Google Authenticator, Authy) — not SMS
4. Implement Regular Backups ✅
What it does: Ensures you can recover if something goes wrong.
Why it matters: Even with perfect security, things can go wrong — server failures, accidental deletions, or successful attacks. Backups are your safety net.
Backup strategy (3-2-1 rule):
- 3 copies of your data
- 2 different storage types
- 1 offsite backup
# Simple database backup script
#!/bin/bash
DATE=$(date +%Y-%m-%d)
mysqldump -u root -p your_database > /backups/db_$DATE.sql
gzip /backups/db_$DATE.sql
# Upload to remote storage
aws s3 cp /backups/db_$DATE.sql.gz s3://your-backup-bucket/
Backup frequency:
- Daily for active sites
- Weekly minimum for all sites
- Test restoration monthly
5. Install a Web Application Firewall (WAF) ✅
What it does: Filters malicious traffic before it reaches your server.
Why it matters: A WAF blocks common attacks like SQL injection, cross-site scripting (XSS), and brute force attempts automatically.
Options:
- Cloudflare (free tier available) — DNS-level protection
- Sucuri — WordPress-specific security
- ModSecurity — Open source, server-level
# Basic rate limiting in Nginx
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
server {
location /wp-login.php {
limit_req zone=login burst=3 nodelay;
# ... other config
}
}
6. Secure Your Admin Area ✅
What it does: Reduces the attack surface for your website.
Key steps:
Change the default admin URL (WordPress):
// Using a plugin like WPS Hide Login
// Changes /wp-admin to /your-secret-path
Limit login attempts:
// WordPress plugin or .htaccess
// Block IP after 5 failed attempts for 30 minutes
Restrict admin access by IP (if you have a static IP):
# .htaccess
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 123.456.789.0
</Files>
7. Set Correct File Permissions ✅
What it does: Controls who can read, write, and execute files on your server.
Why it matters: Incorrect permissions can let attackers modify your files or upload malicious scripts.
# Correct WordPress permissions
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
chmod 600 wp-config.php
Rule of thumb: Files should be 644, directories should be 755. Never use 777.
8. Disable Directory Listing ✅
What it does: Prevents visitors from browsing your file structure.
Why it matters: Directory listing exposes your file structure, plugin versions, and potentially sensitive files to anyone.
# .htaccess
Options -Indexes
# Nginx
autoindex off;
9. Implement Security Headers ✅
What it does: Tells browsers how to handle your content securely.
# Add to your Nginx server block
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Test your headers: Visit securityheaders.com and enter your domain.
10. Monitor and Scan Regularly ✅
What it does: Catches security issues before they become breaches.
Set up:
- Uptime monitoring: UptimeRobot (free) — alerts you when your site goes down
- Malware scanning: Sucuri SiteCheck (free) — scan for known malware
- File integrity monitoring: Track changes to critical files
- Log monitoring: Review access logs for suspicious activity
# Check for recently modified PHP files (potential hack indicator)
find /var/www/html -name "*.php" -mtime -7 -ls
Quick Wins You Can Do Today
If this full checklist feels overwhelming, start with these five things today:
- Install SSL (most hosts offer one-click setup)
- Update everything (CMS, plugins, themes)
- Change weak passwords and enable 2FA
- Set up automated backups (even a simple daily database dump)
- Install Cloudflare (free plan provides basic WAF and DDoS protection)
These five steps alone will protect you from the vast majority of common attacks.
Secure Your Site with Confidence
Website security doesn't have to be complicated or expensive. By following this checklist, you'll protect your business, your customers, and your reputation from the most common threats.
At DeployBase, security comes built in. Our hosting plans include free SSL certificates, automated backups, server-level firewalls, and proactive security monitoring. We handle the infrastructure security so you can focus on running your business.
