Most hacked websites aren't targeted by sophisticated hackers. They're compromised by automated bots scanning the internet for known vulnerabilities. The good news: basic security practices prevent 95% of attacks. Here's what you need to do.
Security Basics That Prevent Most Attacks
The vast majority of website hacks exploit known vulnerabilities in outdated software, weak passwords, or misconfigured servers. You don't need enterprise-grade security — you need to get the basics right consistently. Think of it like locking your front door — it won't stop a determined burglar, but it stops the opportunists.
Keep Everything Updated
This is the single most important thing you can do. If you're on WordPress, update core, themes, and plugins as soon as updates are available. Each unpatched vulnerability is an open door. WordPress powers 40% of the web — that makes it a massive target. Plugin vulnerabilities account for the majority of WordPress hacks. If you're on a bespoke platform, make sure your developer applies security patches to the framework and server software regularly.
Passwords and Access Control
Use unique, strong passwords for every login — admin panel, hosting, FTP, database, email. Use a password manager. Enable two-factor authentication wherever possible. Remove admin accounts for people who no longer need access. Don't use "admin" as your username. These sound basic because they are — and they're still the most common entry points for hackers.
Backup Strategy
Daily automated backups stored off-site. Test your backups regularly — a backup that can't be restored is useless. Keep at least 30 days of backups so you can restore from before a compromise was detected. Your hosting provider should handle this, but verify it. We've seen businesses lose everything because they assumed backups were happening when they weren't.
SSL and HTTPS
Every page on your website should be served over HTTPS. SSL certificates are free with Let's Encrypt and most hosting providers include them. HTTPS encrypts data between your visitor's browser and your server — essential if you have any forms, login pages, or payment processing. Google also uses HTTPS as a ranking signal.
Monitoring and Incident Response
Set up uptime monitoring so you know immediately if your site goes down. Use Google Search Console — it will alert you to security issues Google detects. Review server logs for unusual activity. Have a plan for what to do if you are compromised: who to contact, how to restore from backup, how to identify and fix the vulnerability.
Your Security Checklist
SSL certificate active. All software updated. Strong unique passwords with 2FA. Daily offsite backups (tested). Unused accounts removed. Server monitored 24/7. Incident response plan documented. If you can tick all seven, your website is more secure than 90% of sites on the internet.
22 years building and securing websites for UK businesses.