Let me start with the uncomfortable truth about website security for small business: you will almost certainly not be hacked by a genius. You will be hacked by a bot that found your outdated plugin, or by someone who tried a password leaked from another site, and it worked because you reuse passwords.

That is actually good news. It means the defense is not expensive consultants or enterprise firewalls. It is hygiene. Five habits, most of them one-time setups, that close the doors the bots actually walk through.

I have spent over a decade building and maintaining web systems, and I have been called in more than once after a small business site was defaced, blacklisted by Google, or quietly turned into a spam relay. In every single case, the entry point was on the list below. Here it is, with honest time estimates.

Step 1: HTTPS everywhere (30 minutes, once)

If your site still loads over plain HTTP in 2022, fix this today. HTTPS encrypts traffic between your visitors and your server, and browsers now actively warn users away from sites without it. Chrome labels HTTP pages "Not Secure" right in the address bar. For a business, that label costs you trust before a visitor reads a single word.

The excuse used to be cost. That excuse died years ago. Let's Encrypt issues certificates for free, most hosting panels enable it with one click, and services like Cloudflare put HTTPS in front of your site at no cost. If your web vendor tells you HTTPS is a paid add-on, ask harder questions.

While you are in there, make sure HTTP redirects to HTTPS automatically. A certificate that exists but is not enforced protects nobody.

Step 2: updates, the unglamorous 80 percent (15 minutes monthly)

Most small business sites run on WordPress or a similar CMS, and most compromises of those sites come through outdated plugins and themes. Not the core software, the plugins. The gallery plugin installed in 2019 by a freelancer you no longer talk to is the most likely door into your site.

The routine:

  1. Monthly, log in and apply all pending updates: core, themes, plugins.
  2. Delete any plugin or theme you are not actively using. Deactivated is not the same as deleted; deactivated code can still be exploited.
  3. Audit yearly: for each plugin, check when it was last updated by its author. Abandoned plugins never receive security fixes. Replace them.

Fifteen minutes a month. Put it on the calendar next to paying the electricity bill, because it is exactly that kind of task: boring, recurring, and disastrous to skip for a year.

Step 3: backups you have actually restored (2 hours, once, then automatic)

Everyone says they have backups. Very few have tested a restore. An untested backup is a hope, not a plan.

What a real backup setup looks like for a small business site:

  • Automatic, daily or weekly depending on how often the site changes. Humans forget; schedules do not.
  • Off the server. A backup stored on the same server that gets compromised or dies is not a backup. Push it to cloud storage, or at minimum download it periodically.
  • Retained for at least 30 days. Compromises are often discovered weeks after they happen. If you only keep last night's backup, you may be faithfully backing up the hacked version.
  • Restore-tested once. Actually do it, on a staging copy or a temporary subdomain. Time yourself. That number is how long your site will be down in a real incident.

Total cost: usually free to Rp100,000 per month. Compare that to a week of downtime during a promotion.

Step 4: access control, or who can still log in? (1 hour, once)

Make a list of everyone who has ever had access to your website admin, your hosting panel, and your domain registrar. For most businesses this list includes at least one ex-employee and two ex-vendors, all with working credentials.

The cleanup:

  • One account per person. Shared logins mean you can never remove one person's access without disrupting everyone.
  • Least privilege. The person who writes blog posts needs an editor account, not administrator. Most CMS platforms make this a dropdown choice.
  • Offboarding as a habit. When a staff member or vendor relationship ends, revoking access is part of the checklist, same as collecting the office key.
  • Know where your domain lives. I have seen a business lose its own domain because it was registered under a departed freelancer's personal account. Verify today that the registrar account belongs to the business.

Step 5: passwords and 2FA, the highest-leverage hour you will spend

Here is where most breaches actually start. Credential-stuffing attacks take passwords leaked from one service and try them everywhere else. If your admin password is the same as your old Yahoo password, a bot has probably already tried it.

The fix is mechanical:

  1. Use a password manager (Bitwarden is free and solid) and generate a unique password for every account.
  2. Turn on two-factor authentication for your hosting panel, domain registrar, CMS admin, and the email account that receives password resets. That email account is the master key to everything else; protect it first.
  3. Never send passwords over WhatsApp or email in plain text. Password managers have sharing features for exactly this.

One hour of setup. It neutralizes the single most common attack against small businesses.

The takeaway: schedule it like a fire drill

None of these five steps require a security specialist, and together they cost less than one nice dinner per month. The pattern to notice is that security for a small business is not a product you buy, it is a short list of habits you keep. That mirrors what I argue in Why Your Business Needs a Technology Strategy, Not Just a Website: the thinking matters more than the tooling.

Block two hours this week. Do HTTPS, the access audit, and the password manager. Put the monthly update session and the backup restore test on the calendar. Then go back to running your business, which is the entire point of getting this out of the way.