Skip to main content

Guide

Website Security Checklist for Small Business

Published June 25, 2026 · 10 min read

You do not need a security team to run a credible business website — but you do need a repeatable checklist. This guide covers the essentials most small businesses miss, in priority order.

1. HTTPS everywhere

  • Valid SSL/TLS certificate on your primary domain and www (if used).
  • HTTP redirects to HTTPS automatically.
  • No mixed-content warnings (images or scripts loaded over HTTP).
  • Certificate expiry monitored — expired SSL is an instant trust killer.

2. Keep software updated

  • CMS core, themes and plugins on the latest stable versions.
  • Remove unused plugins and demo accounts.
  • Strong unique passwords and two-factor authentication on admin accounts.
  • Limit admin login URLs where possible; block brute-force with hosting or WAF tools.

3. Security headers

Ask your host or developer to confirm these HTTP response headers on public pages:

  • Strict-Transport-Security (HSTS) — forces HTTPS in browsers.
  • X-Content-Type-Options: nosniff — reduces MIME sniffing risk.
  • X-Frame-Options or Content-Security-Policy frame-ancestors — limits clickjacking.
  • Content-Security-Policy — start with a sensible policy and tighten over time.

4. Legal and trust pages

  • Privacy policy linked from the footer.
  • Cookie policy or notice if you use non-essential cookies.
  • Terms and conditions where you sell online or take bookings.
  • Clear contact details — email, form or phone on reachable pages.

5. Email and domain security

  • SPF record published in DNS.
  • DKIM signing enabled with your email provider.
  • DMARC policy at least at p=none to start monitoring spoofing.
  • Business email on your domain — not only a free Gmail address on the website.

6. Backups and recovery

  • Automated daily backups stored off-server.
  • Test a restore at least once — a backup you cannot restore is not a backup.
  • Document who can access hosting, DNS and domain registrar accounts.

7. Exposed files and admin paths

  • No public .env, backup zip, or database dumps reachable via URL.
  • Default admin paths secured; unnecessary directory listing disabled.
  • robots.txt and sitemap.xml present for legitimate crawlers.
  • Consider security.txt with a contact for security researchers.

8. Forms and customer data

  • Contact and checkout forms submit over HTTPS only.
  • CAPTCHA or rate limiting on public forms to reduce spam and abuse.
  • Collect only data you need; link to privacy policy at point of collection.
  • PCI compliance handled by your payment provider — never store raw card numbers yourself.

9. Monitoring

  • Uptime or trust monitoring so you hear about downtime or certificate expiry first.
  • Re-scan after plugin updates, theme changes or new third-party scripts.
  • Review admin user list quarterly; remove former staff access.

10. When to go further

If you handle payments, store personal data or offer customer logins, consider a structured manual security review in addition to automated scans. Automation finds misconfigurations; human review catches business-logic and workflow risks.

Automate the checklist

Plexa Trust runs many of these checks automatically and tracks your website trust score over time. Start with a free scan, then upgrade for AI fix guides and monitoring.

Frequently asked questions

Most small business owners can complete the essentials — HTTPS, backups, updates, legal pages and email security — in one to two hours with a checklist. Automated scanning speeds up discovery to minutes.
Start with a checklist and automated scans for ongoing hygiene. Book a penetration test when you handle payments, logins, sensitive data or need assurance before a launch or compliance review.
Running without valid HTTPS, outdated plugins or CMS versions, and missing privacy or cookie policies. All three erode customer trust and are straightforward to fix.
Plexa Trust automates many checklist items — SSL, headers, exposed paths, policies and trust signals — and tracks improvements over time. You still need human judgement for passwords, access control and hosting choices.

Run the checklist on your site

Free automated scan — results in under 60 seconds.

Free website scan