The small-business website security checklist (no IT person required)

You don't need to be technical — or hire someone — to cover the security basics for a small-business website. Here's a practical checklist you can work through in an afternoon, plus how to keep it from quietly slipping afterward.

1. Serve your whole site over HTTPS

Every page should load over https:// with a valid certificate, and plain http:// should automatically redirect to it. How to check: look for the padlock, then type your address with http:// in front and confirm it jumps to the secure version. Watch for "mixed content" warnings, where a secure page still pulls an image or script over insecure HTTP.

2. Make sure your certificate won't expire unexpectedly

An expired certificate replaces your site with a full-page browser warning and drives visitors away. Know your expiry date and set tiered reminders (14 / 7 / 3 days) so a failed auto-renewal can't take you offline. How to check: see our guide on getting alerted before your SSL certificate expires.

3. Turn on your security headers

Security headers are free instructions that tell browsers to enforce extra protections — HSTS, Content-Security-Policy, X-Frame-Options and a few others. Most small sites are missing several. How to check: paste your domain into a free grader like securityheaders.com, or read our plain-English walkthrough of website security headers.

4. Don't expose admin panels or databases to the internet

Your database and internal admin tools should not be reachable from the open internet. Database ports (such as 3306 for MySQL, 5432 for PostgreSQL, 27017 for MongoDB) should be firewalled or bound to localhost, and admin logins should sit behind strong authentication. How to check: ask your host which ports are open, or have your site scanned from the outside to see what's reachable.

5. Don't advertise your exact software versions

Servers and frameworks often announce their precise version in their responses (for example Server: Apache/2.4.41). That hands an attacker a roadmap of known weaknesses to try. Genericize or remove those version banners where you can.

6. Keep your software updated

Out-of-date CMS cores, plugins and themes are the single most common way small websites get compromised. Turn on automatic updates where it's safe to, and review plugins you no longer use — every extra plugin is extra attack surface. Delete what you don't need.

7. Lock down the logins

Use strong, unique passwords and turn on multi-factor authentication (MFA) everywhere that matters: your CMS, your hosting account, your domain registrar and the email address they all recover to. Keep the number of admin accounts small, and remove ex-staff and old contractors promptly.

8. Keep a backup you've actually tested

Automatic, off-site backups turn a worst-case hack or mistake into an inconvenience instead of a catastrophe. Just as important: confirm you know how to restore one. A backup you've never tested is a guess.

Keep it from drifting

Security isn't a one-time task — it's a state your site slowly drifts out of. A plugin update lapses, a header gets dropped in a deploy, a port gets opened during a migration. For a small team with no dedicated security person, the only thing that really works is a recurring check that doesn't depend on anyone remembering.