The majority of hacks aren't high visibility attempts to steal sensitive information – smaller sites are often infected to set up a temporary web server for illegal files, or to use your server as an email relay for spam.

These attacks are designed to be as silent as possible, since the more time it takes you to notice that something is amiss, the longer the hackers can use your site.

Alternatively, you may also fall victim to malicious attacks designed to cause maximum disruption simply for "fun"  – some hackers get pleasure from annoying your visitors and ruining your day. The only upside of these attacks is that you are likely to notice pretty quickly.

So What Can You Do To Protect Your Website From Hackers?

 There are multiple ways a hacker could breach your site and it's always a good idea to get expert technical advice. First, the essentials:

  • Update both your security software and your site software regularly – providers of these core software systems supply updates partly in response to current hacking threats.

  • Install a firewall – either a free service or a web application firewall if your site is larger or holds more valuable data.

  • Implement HTTPS protocol, not only does this gives an extra layer of encryption but is now a best practice for a good SEO strategy.

  • Back everything up. Regularly.

In particular, pay attention to the following 5 areas that are often overlooked by small business website owners.

1. Use Login And Session Limits

Be careful not to give additional information in error messages – a neutral "login/password incorrect" response is safer than "incorrect password". Limit the number of login attempts a user can have, and ask your visitors to provide extra information, such as answering a security question. Your site should also automatically log users out if they are inactive for a set period of time.

2. Require Strong Passwords

Insist on strong passwords using a combination of upper and lower case letters, numbers and special characters.

A Dictionary attack (a programme which  "guesses" the password using known words) or a Brute Force attack (which tests every possible combination of letters and numbers) will make short work of simple passwords - sometimes within seconds.  

Make it a policy to change your admin passwords every six months, and if you are the only person who has administrator access to your site, consider barring any IP address aside from yours from having admin rights.

3. Restrict File Uploads

These are a major weak spot in any website. Where possible, do not give your visitors this facility – allow them to post links to files on external sources rather than upload them directly to your server. Unless you have a security team working on your website, uploads can be more risk than they are worth. If file uploads are an essential feature of your site, then make sure you quarantine files for scanning rather than allowing a direct, unchecked upload.  

4. Server Best Practices

If possible, run your database on a separate server to that of your web server. This means that only your web server can access it, minimising the risk to your data. Don't forget about restricting physical (as well as online) access to your server. Limit the people who can access it, and don't email login information or allow anyone to log in as you, even once. If it is unavoidable, change your login details immediately afterwards.

5. Test Regularly

Once your security measures are in place, check for vulnerable spots using penetration (or 'pen') testing. This is asking a trustworthy programme to 'hack' your site and then provide a detailed report on what areas you need to strengthen. These programmes are available online; for example Netsparker or Open VAS.


No site, no matter how well protected, will be able to withstand a sustained, focussed onslaught indefinitely. For this reason, the most important security step you can take is to back everything up.

You can set up a programme to automatically do this at regular intervals to cloud storage or a separate server. There are also several third party subscription services which will monitor and backup your whole domain, and offer a cleanup service if you get hacked – consider these as additional insurance.

Unfortunately, hacking is a fact of life on the internet – all you can do is minimise the likelihood of your site falling victim, and restrict the damage that can be done as a result.