Common website security mistakes small businesses make (and the 30-minute fixes)
Most hacked small-business websites we recover were broken by the same five mistakes. Here is the audit checklist and the fixes you can ship in an afternoon.
Website security is the thing most small businesses think about for the first time on the day their site gets defaced. By then it's an emergency. The good news: 80% of the breaches we triage trace back to a handful of fixable mistakes — none of them require an enterprise budget to address.
Mistake 1: One password, used everywhere
We still see admin accounts protected by a password that lives in the founder's notebook, the office WhatsApp group, and a Word document on the receptionist's desktop. Rotate every admin password. Use a password manager. Turn on two-factor authentication for the CMS, the hosting panel, the domain registrar and the email account that recovers them all.
Mistake 2: An admin account named "admin"
If your WordPress username is "admin" you have made an attacker's job easier. Create a new admin user with an unguessable name, then delete the "admin" account or demote it to subscriber. Same idea for cPanel, hosting and CRM logins.
Mistake 3: Plugins and themes years out of date
A site running WordPress 6.0 with two-year-old plugins is a freebie for any drive-by scanner. Set up automatic minor updates, audit your plugin list quarterly, and remove anything you stopped using.
Mistake 4: No backup you have actually restored
Most "backup plans" we audit have never been tested. A backup you have not restored is a guess. Pick a tool (Duplicator Pro, UpdraftPlus, your hosting provider's own snapshots) and do one full restore to a staging URL — once, just to know it works.
Mistake 5: No firewall in front of the origin
Putting Cloudflare in front of your site (free plan is enough for most) blocks the loud automated traffic that drives most of the noise. Enable Bot Fight Mode, rate-limit /wp-login.php, and set a security level of "medium" or higher.
The 30-minute audit
Open these five tabs and tick each one off in order: admin users · password vault · plugin/theme versions · most recent successful restore · WAF settings. You will sleep better tonight.
If you would rather we run this for you, Fix My Website is a flat-rate triage that includes the audit, the fixes and a written report.
Reference images
