Website Security Checklist for Small Businesses in 2026

43% of all cyberattacks target small businesses. 60% of those who suffer a breach close within six months.

The reason isn’t that small businesses are unlucky. It’s that attackers specifically look for them because they’re more likely to skip basic security steps, have fewer people monitoring for problems, and take longer to notice something is wrong.

The good news: most website security failures at the small business level are preventable. Not with expensive tools or a dedicated security team, but with the right foundational steps implemented and maintained consistently.

This checklist covers every area of website security that a small business needs to address in 2026. It’s organized into priority tiers so you know what to do today, what to do this week, and what to maintain on an ongoing basis. Work through it section by section, and you’ll have meaningfully stronger protection than the vast majority of small business websites currently have.

Before You Start: What’s at Stake

Before jumping into the checklist, it helps to understand what a website security failure actually costs.

The average cost of a data breach for a small business is between $120,000 and $1.24 million, according to IBM’s 2025 research. That figure includes direct response costs, lost business, regulatory fines, and reputational damage. For most small businesses, a breach of that scale is existential.

Beyond cost, there’s the legal dimension. If your website collects customer email addresses, processes payments, or handles any personal data from EU residents, you operate under GDPR regardless of where your business is located. A breach can trigger mandatory notification requirements and fines of up to 4% of global annual turnover.

And in 2026, the threat is no longer limited to sophisticated attackers. Automated tools scan millions of websites continuously looking for common vulnerabilities. Outdated plugins, weak passwords, and misconfigured servers get found and exploited without a human attacker ever specifically targeting you.

Security isn’t optional for small businesses anymore. It’s the baseline.

How to Use This Checklist

Items are organized into three priority tiers:

• Tier 1: “Do today.” Tier 1 is those tasks with high impact and often low effort. Many of these are quick wins – tasks that take an hour or less. By skipping these, you are significantly exposed.
• Tier 2: “Do this week.” These are those high-priority, high-impact items that just may take longer than an hour to complete or require some setup.
• Tier 3: “Do periodically.” This set of items involves tasks that need to happen on some recurring, ongoing schedule to help you maintain your security at a steady pace. The sections with ongoing maintenance tasks include a “how often” guide to provide context.

Each section also includes a “how often” note for ongoing maintenance items.

Section 1: SSL and HTTPS

Your website must run entirely over HTTPS. This is the baseline that everything else builds on.

Tier 1 items:

• Install a valid SSL certificate. Your hosting provider likely includes a free certificate through Let’s Encrypt. If not, install one today. An HTTP site in 2026 is flagged by every major browser and penalized in search rankings.
• Force HTTPS sitewide. Add a redirect rule to your server configuration that sends all HTTP requests to their HTTPS equivalent. In WordPress, this is handled through your hosting control panel or the Really Simple SSL plugin. Without this redirect, visitors who type your domain without https:// are accessing an unsecured version of your site.
• Fix any mixed content warnings. Once your site is on HTTPS, check for resources (images, scripts, stylesheets) still loading over HTTP. A broken padlock means mixed content exists. Check using your browser’s developer console (F12 > Console) or the “Why No Padlock?” tool at whynopadlock.com. The full guide to finding and fixing mixed content covers every scenario.

Tier 3 items:

• Monitor certificate expiry. (Monthly check) An expired certificate takes your site offline for every visitor and tanks your search ranking overnight. Set a calendar reminder 30 days before your certificate’s expiry date. Most hosting providers send expiry alerts, but don’t rely on them exclusively.
• Verify SSL grade. (Quarterly) Test your SSL configuration at ssllabs.com/ssltest. Target an A or A+ grade. A lower grade indicates configuration problems that can expose visitors to risk.

Section 2: Access Control and Authentication

Weak credentials and poor access management are the most exploited entry points into small business websites. These items close the most commonly used doors.

Tier 1 items:

• Enable multi-factor authentication (MFA) on every admin account. MFA blocks over 99% of automated account compromise attacks. Every CMS, hosting control panel, domain registrar, and email account associated with your website should require MFA. This is the single highest-impact item on the entire checklist.
• Change default admin usernames. WordPress defaults to “admin.” WooCommerce and many other platforms have predictable default usernames. Attackers run automated attacks against these defaults. Change every admin username to something non-obvious.
• Use strong, unique passwords for every account. A password manager like Bitwarden (free) or 1Password generates and stores unique complex passwords so you never reuse credentials across accounts. Credential stuffing attacks specifically exploit reused passwords: one breach at a third-party service becomes access to every account where you used the same password.

Tier 2 items:

• Principle of Least Privilege: all users of your website should have no more access than is required for them to perform their duties. Content editor, but do not have administrative access. Contractor developing new functionality; it is neither needed to have access to your website’s database.
• Privileges that are more than necessary provide additional risk of increasing its range if your user account is compromised.
• Deleting: delete or disable user accounts not currently in use. These include former employee accounts, contractors that are no longer employed by you, temporary accounts used for development, testing accounts left in use after their project has concluded. Ensure that user accounts on your site are up to date. Admin login URLs secured, for example, the WordPress site; it has a known URL; use a unique one by moving them or restricting access.

Tier 3 items:

• Review user accounts. (Quarterly) People change roles. Staff leaves. Contractors finish projects. Access permissions that were appropriate when granted may no longer be. The quarterly review catches accounts that should have been removed.
• Check active sessions. (Monthly) Verify there are no active authenticated sessions from devices or locations you don’t recognize.

Section 3: Software Updates and Patch Management

Outdated software is the most consistent source of exploitable vulnerabilities on small business websites. Attackers actively scan for known vulnerabilities in popular CMS versions, plugins, and themes.

Tier 1 items:

• Update your CMS to the latest version. WordPress, Drupal, Joomla, or whatever platform your site runs on should always be on the current stable release. Security patches for known vulnerabilities are published with every update. Running an outdated version means those vulnerabilities are publicly known and being actively exploited.
• Update all plugins and themes. On WordPress, outdated plugins are responsible for a significant majority of site compromises. Go through every installed plugin and theme and update them to their current version. This applies whether you’re actively using them or not.
• Remove plugins and themes you’re not using. Inactive plugins and themes are still code on your server and still need patching. If you’re not using them, remove them completely rather than leaving them deactivated.

Tier 3 items:

• Check for updates (Weekly): Set the core auto-updates for minor security release in the wp-admin section. For all major core versions, scan and upgrade on a weekly basis to keep exposure time between when a security issue is published and when your website is updated minimal.
• Scan your plugins and themes for known vulnerabilities (Ongoing): Web security intelligence services like the WPScan vulnerability database as well as your hosting provider, should provide you with warnings regarding popular plugin security issues.

Section 4: Backups

Backups are your recovery option when everything else fails. They don’t prevent attacks, but they determine whether a successful attack destroys your business or becomes a recoverable incident.

Tier 1 items:

• Set up automated daily backups. Manual backups get skipped. Automated backups don’t. Configure your hosting or a dedicated backup service to create daily backups of both your website files and your database.
• Apply the 3-2-1 backup rule. Keep at least 3 copies of your data, on at least 2 different types of storage, with at least 1 copy stored offsite (not on the same server as your live site). If your server is compromised, a backup stored on the same server is also compromised. Common implementation: daily automated backup to hosting provider + weekly backup to an external cloud service (S3, Backblaze, or similar).
• Store at least 30 days of backup history. Some attacks, particularly those involving injected malicious code, go undetected for weeks. A backup from yesterday won’t help if the compromise happened three weeks ago. 30 days of backup history gives you a clean restore point before most detected incidents.

Tier 2 items:

• Test a backup restore. A backup you’ve never successfully restored from is an untested backup. It may be corrupt, incomplete, or stored in a format that doesn’t restore cleanly. Test restoring from a backup to a staging environment at least once before you need it in an emergency.

Tier 3 items:

• Check Backup integrity ( Quarterly ): Check backups are actually running automatically and finishing. Check if the backup files appear to be the right size. Do at least one test backup and recovery every three to six months to ensure recovery is in fact available in a pinch .

Section 5: Web Application Firewall and Bot Protection

A Web Application Firewall (WAF) sits between your website and incoming traffic, filtering out malicious requests before they reach your application.

Tier 1 items:

• Enable a WAF. For most small businesses, this will be either a cloud-based WAF from your host (Cloudflare, SiteGround, WP Engine all offer WAF functionality) or a WAF plugin for your CMS. Common attacks such as SQL injection, cross-site scripting (XSS), and brute-force logins are automatically prevented by a WAF.
• Allow login by brute force. Set up your login page to deny access to or limit access from IP addresses that keep trying to log in incorrectly. If it is not done that way, automated tools can try hundreds of thousands of password combinations without any limitations.
• Enable bot protection. Not all web traffic is human. Bad bots keep trying to exploit, steal content, and crack passwords. Basic bot filtering prevents common malicious user agents and requests. Bot protection is a part of the standard offering for most WAF solutions.

Section 6: Vulnerability Scanning and Monitoring

You can’t secure what you cannot see. Regular, continuous scanning and monitoring provide you with the insights to be aware of the problem, before those operating in your industry sector take advantage of it.

Tier 2 items:

• Run a website security scan. Use a dedicated website security scanner to check for common vulnerabilities: malware, outdated software, known exploits, blacklist status, and security header configuration. Sucuri SiteCheck, Wordfence, and similar tools provide a baseline security assessment in minutes.
• Check your security headers. Security headers are HTTP response headers that instruct browsers how to handle your content. Missing or misconfigured headers are a common finding on small business sites. Test yours at securityheaders.com and address any red or orange ratings.
• Scan for malware. Injected malware on compromised sites often runs invisibly for weeks or months. Regular malware scans catch compromises you might not notice through normal site use.

Tier 3 items:

• Run a full security scan. (Monthly) Repeat your vulnerability and malware scan monthly. New vulnerabilities in installed software are discovered continuously. A clean scan this month doesn’t mean clean next month.
• Monitor your site for unexpected changes. (Ongoing) File integrity monitoring alerts you when files on your server change unexpectedly, which is often a sign of a compromise. Many security plugins include file monitoring as a core feature.
• Check whether your site appears on blacklists. (Monthly) Google, Bing, and security vendors maintain databases of sites flagged for malware or phishing. A blacklisted site gets a visible browser warning for every visitor. Check Google Search Console’s Security Issues report and run your domain through URLVoid monthly.

If you’re ever unsure whether your site has already been compromised, the guide on how to check if your website has been hacked covers every detection method step by step.

Section 7: Secure Configuration

How your website is configured determines much of its baseline security posture. These items address common misconfigurations that create unnecessary risk.

Tier 2 items:

• Disable directory browsing. If directory browsing is enabled on your server, anyone can navigate to a folder URL and see a list of all files in that directory. This exposes your site structure, backup files, configuration files, and anything else stored in accessible directories. Disable it in your server configuration.
• Hide your CMS version. Advertising which version of WordPress, Drupal, or Joomla you’re running tells attackers exactly which known vulnerabilities apply to your installation. Remove version tags from your HTML headers and RSS feed.
• Secure your configuration files. Files like wp-config.php in WordPress contain database credentials and secret keys. Verify these files aren’t publicly accessible by attempting to navigate to them in a browser. They should return a 403 or 404, not the file contents.
• Review file permissions. Web server files should follow the principle of minimum necessary permissions: directories at 755, files at 644, configuration files at 600. Overly permissive settings allow unauthorized modification of files.
• Configure error handling. Detailed error messages that display stack traces, database credentials, or server paths in the browser are a significant information disclosure risk. Configure your application to log detailed errors internally while displaying only generic messages to users.

The common website vulnerabilities guide covers each of these configuration issues in detail with specific fix instructions.

Section 8: Data Protection

If your website collects, processes, and stores any data regarding customers, it is vital to take every step necessary to secure and protect that data.

Tier 1 items:

• Identify what data your website collects. Contact forms, email signup forms, checkout pages, account registration, and analytics all collect data. Know exactly what you’re collecting, where it’s stored, and who has access to it. You can’t protect data you don’t know you have.
• Ensure payment processing uses a compliant provider. Never store raw payment card data on your own server. Use a PCI DSS-compliant payment processor like Stripe, PayPal, or Square that handles card data entirely on their side. Your website should never touch the raw card number.
• Minimize data collection. Don’t collect personal data you don’t actually need for your business function. Every piece of personal data you hold is a piece of data you’re responsible for protecting and potentially liable for if it’s breached.

Tier 2 items:

• Publish and maintain a privacy policy. A privacy policy is legally required if you collect personal data from visitors in most jurisdictions. It must accurately describe what data you collect, why you collect it, how you store it, and how users can request deletion.
• Ensure contact form data is encrypted in transit. Forms submitted over your HTTPS site send data encrypted. Ensure that submitted form data is also encrypted at rest in your database, particularly for sensitive fields.

Section 9: Dark Web Monitoring

This is the checklist item most small business security guides don’t include. It’s also one of the most practically valuable for early warning of a coming attack.

When an attacker obtains credentials to your website, hosting control panel, or business email, those credentials frequently end up in dark web markets and stealer log databases within hours of being stolen. Monitoring for your business’s email addresses and domain in these underground databases gives you advance warning before those credentials are used.

Tier 2 items:

• See if your business email addresses are part of published breaches. Start by quickly checking each business email address attached to your website admin logins, website hosting, and domain name with Darkscout or Have I Been Pwned (haveibeenpwned.com). If the email address shows up as part of published data breaches, reset the affected login passwords to something secure and then activate MFA for those accounts immediately.
• Run a dark web exposure scan for your domain. Beyond publicly disclosed breaches, your credentials and business data may be circulating in underground markets that HIBP doesn’t cover. DarkScout’s free email scan checks against dark web breach databases and stealer log markets that reach further into underground credential trading than public breach databases. Understanding how dark web monitoring works shows why surface-level breach checks miss a significant portion of real-world credential exposure.

Tier 3 items:

• Set up ongoing dark web monitoring for your domain. (Ongoing) A one-time check tells you your current status. Ongoing monitoring tells you when new exposure appears, which is the point at which you can still act before the stolen credentials are used. DarkScout’s Dark Monitoring service continuously scans dark web markets and underground forums for signals related to your organization.

Section 10: Incident Response Planning

When something goes wrong, how fast and effectively you respond determines how much damage it causes. Organizations with a documented response plan respond faster and recover faster than those that figure it out during the crisis.

Tier 2 items:

• Document your incident response steps. Write down what you’ll do if your website is compromised: who you contact first, how you take the site offline if needed, how you restore from backup, who handles customer communication, and what regulatory notifications you may need to make. This doesn’t need to be a long document. A one-page checklist you can follow under stress is more useful than a comprehensive plan nobody reads. The data breach response plan guide provides a starting framework you can adapt.
• Know your hosting provider’s security contact. Find the security contact or emergency support line for your hosting provider before you need it. In an active compromise, you don’t want to spend time searching for this.
• Know your notification responsibilities. If your website experiences a breach of personal data, you might need to notify people. GDPR has rules for notifying within 72 hours of identifying some types of breaches. Find out where you stand before you get hacked.

Your Priority Action List

If you’ve read through the full checklist and feel overwhelmed, start here. These are the items that provide the most protection per hour invested:

Do these today (2-3 hours):

1. Turn on MFA for all admin accounts.
2. Install an SSL and force HTTPS (if not already done).
3. Upgrade your CMS, plugins, and themes.
4. Delete unused themes and plugins.
5. Change the default administrator username and weak admin password.

Do this week: 6. Set up automated daily backups with offsite storage 7. Enable a WAF and brute-force protection 8. Run a full website security scan 9. Check all user accounts and remove unused ones 10. Run a dark web exposure check on your domain and admin email addresses

Set up an ongoing cadence:

• Weekly: Review software updates for newly released versions of plugins, themes, and your CMS.
• Monthly: Conduct a full website scan and test backups. Check domain blacklist status.
• Quarterly: Confirm your backups are restoreable.

Frequently Asked Questions