Why small business websites get hacked (and what you can do to avoid it)


Think your website is too small for a hacker to bother trying to break in? Think again. Small business websites are often targeted by hackers precisely because they’re seen as easier targets.

You may think your virtual shop front is nothing more than a speck in the internet cosmos, but to a hacker, it’s a potential goldmine. So, let’s get into the nuts and bolts of why your website might be on a hacker’s hit list. And, more importantly, what you can do about it.

Worried small business owner, standing in his shop.

Over 50% of small businesses have experienced a cyber attack.


What are the potential consequences for a small businesses whose website is hacked?

I’d rather use reason than scare tactics, and hate it when someone tries to scare me into action over something that’s really not that big a deal. So I’ll be straight with you: This might not be a big deal. You might not get hacked. Or, if you do, it might be something less than worst case.

But, the odds are not heavily in your favor.

Since a hack is currently among the worst things that can happen to a business, and the steps to prevent or minimize the consequences of hacking aren’t unreasonable, yes — I’m OK if you’re frightened into securing your website. Whatever it takes.

How big an impact a hack has on your business depends on the size of your business, the degree to which your website impacts it, and the speed with which you address it. If you’ve put systems in place that can detect, contain and clean up a hack attack, you may experience little to no fallout. I’m not gonna lie: the main purpose of this article is to encourage you to do just that.

People who assume their business will always be among the half of small businesses that escape hacking — without having done a thing to prepare or prevent it — should expect to experience the following.

Loss of customer trust

When a small business website gets hacked, there can be numerous potential consequences. One of the most immediate and obvious is the loss of customer trust. When customers find out that a website they trusted has been compromised, they may become hesitant to share their personal information or make purchases. This can lead to a significant drop in sales and revenue for the business. Additionally, the negative publicity that comes with a hacked website can damage the reputation of the business, making it harder to attract new customers and retain existing ones.

We’ve seen one-person family pizza shops be fully compromised. We’ve seen one-person retail shops compromised. Independent Uber drivers targeted.

David Kennedy / TrustedSec

Theft of sensitive data

Another consequence of a hacked website is the potential loss of sensitive data. Small businesses often store customer information such as names, addresses, and payment details. If a hacker gains access to this data, it can be used for identity theft, fraud, or sold on the dark web. Not only does this put the affected customers at risk, but it can also result in legal and financial liabilities for the business. Small businesses may face lawsuits, fines, and damage to their brand image as a result of a data breach.

Loss of control over your site

Hacked websites can also be used as a platform for further attacks. Once a hacker gains control of a website, they can use it to distribute malware, launch phishing campaigns, or carry out other malicious activities. This can not only harm the visitors to the website but also lead to the website being blacklisted by search engines and security software. Being blacklisted can severely impact the website’s visibility and traffic, making it difficult for the business to recover and regain its online presence.

Loss of time and money

Lastly, the process of recovering from a hacked website can be time-consuming and costly for small businesses. They may need to hire cybersecurity experts to identify and fix the vulnerabilities that allowed the hack to occur. This can be a significant financial burden, especially for businesses with limited resources. Additionally, the downtime caused by the hack can result in lost productivity and missed opportunities.

Overall, the consequences of a hacked website can have a long-lasting impact on the success and sustainability of a small business.

Common ways hackers get into small business websites 

When it comes to hacking, there are a few common ways hackers gain access to your site. These include: 

  • Outdated software – If your website’s software isn’t up-to-date, it’s like leaving your front door unlocked. Hackers love to exploit old software because it often has known vulnerabilities they can take advantage of.
  • Weak passwords – Make sure your password is robust and unique. If it’s impossible to remember, can’t be pronounced, and is a pain in the ass to type, it’s probably a good password. Below I’ll share a way to make this simpler to deal with.
  • Unsecured WiFi networks – If you or your employees log into your website over an unsecured Wi-Fi network, you’re basically inviting hackers in for a cup of tea. Or maybe a Venti Iced Skinny Hazelnut Macchiato, if we’re talking coffee shop WiFi.
woman working in a coffeeshop over an insecure Wi-Fi network, oblivious to the threat of nearby hackers

A public Wi-Fi network is not as safe as a private network. Unlike your own private network, you won’t know how the public Wi-Fi network was set up, who runs it, or who else is using it, making it much riskier to use.


Those first three are just the biggies, unfortunately. Other popularly exploited weaknesses include:

  • Easy to guess (or discover) user names – If a hacker can guess or find your user name, they’re halfway into your site. Do your best to guard user names for your site as carefully as you would passwords.
  • Popular software – Widely used software means more potential targets. Whether we’re talking Windows or WordPress, hackers get giddy at the prospect of gaining access to massive numbers of sites or systems.
  • Compromised PC – If someone’s gained access to your PC, they likely have access to everything you do with it, including your website. So if you suspect your computer has a virus, don’t use it to log into your website.
  • Free WordPress plugins or themes – People love free, and install free plugins and themes by the tens of thousands. There’s nothing wrong with free, but it doesn’t pay the rent. That’s why free plugins and themes are frequently abandoned by their developers. Hackers then go to town trying to find vulnerabilities while no one’s watching, and often succeed.
  • Multiple websites in one hosting account – If hackers gain access to one site in a multi-site hosting account, they are often able to then traverse the entire account and crack into its other sites. Be careful who you host with.

Weak passwords are responsible for 81% of hacking-related breaches.

Worst user name ever: ADMIN; Worst password ever: 123456

More small business website vulnerabilities that hackers exploit

Many small businesses don’t have proper security measures in place, such as firewalls, intrusion detection systems, and secure socket layer (SSL) certificates. These security measures help protect websites from various types of attacks, including brute force attacks, SQL injections, and cross-site scripting. Implementing them can significantly reduce the risk of a website being hacked.

Insecure third-party integrations can also pose a vulnerability.

Small businesses often integrate various third-party services into their websites, such as payment gateways, contact forms, or social media plugins. If these integrations have security vulnerabilities, hackers can exploit them to gain unauthorized access to the website.

One infamous example of a third-party service that was found to have a vulnerability is Adobe Flash Player. This widely-used plugin was once a staple for interactive web content, but it became a notorious gateway for hackers due to its numerous security flaws. Flash was so riddled with security vulnerabilities that Adobe itself decided to do away with it.

Small business owners should ensure that any third-party integrations they use are from reputable sources and regularly update them to patch any security vulnerabilities.

How to keep your login safe and secure

Here are some steps you can take to better protect your website’s login credentials: 

  1. Use a unique, complex password – This should include a mix of uppercase and lowercase letters, numbers, and special characters. A password manager such as LastPass or 1Password takes the hassle out of using secure passwords.
  2. Guard your user name – It’s easy for a hacker to find or figure out your user name just by looking at published content. That’s why I suggest separate user accounts for authoring and site admin tasks.
  3. Don’t share your login – Employees, contributors, support techs and anyone else who needs a login for your site should have their own login. Each user account should be limited to the lowest level of permissions needed to do their job. Delete accounts that aren’t in use.
  4. Change your passwords regularly – Don’t use the same password for years on end. Regularly updating your passwords can help keep your site secure.

Remember, your website’s security is only as strong as its weakest link — which in my experience is always a password. So, make sure you’re doing everything you can to fortify your defenses.

Man using a computer keyboard and securely logging in to his website with a strong password.

Signs that indicate your website has been hacked

Your website has been running pretty smoothly, right? Then one day you wake up to bizarre changes on your site. But you didn’t make those changes. So, what’s going on? Could it be that your website has fallen prey to a hacker?

Here are a few signs that suggest your site was compromised: 

  • Unexpected Changes – If you notice strange changes on your website that you did not authorize, it’s a clear red flag. It could be anything – from new posts to weird links to altered content, or a completely different theme. While you might first chalk it up to a glitch, it’s always better to be safe than sorry.
  • Website Slow Down – If your website takes longer to load or if certain features are not working as they used to, it could indicate that unwanted scripts are running in the background. A sluggish website doesn’t just irritate users, it could also be a potential hacker’s calling card.
  • Redirecting to Another Site – This is maddening to the uninitiated site owner, because one minute their site is redirecting to a site for black market goods, then the next seems fine. This is by design. It might be that it only happens on mobile, or only when clicking through from Google search results.
  • Unusual Traffic Spikes – Seeing a sudden increase in traffic might initially appear exciting, but if it’s coming from strange locations, consider it a red alert. A hacker might be using your website for nefarious purposes, like sending spam emails or hosting illegal content.
  • Google Warnings – If Google blacklists your website or your browser displays a warning before anyone can visit your site, it is likely that your website has been compromised. Such warnings usually mean that Google has detected malicious activity on your site.

As someone running a business mostly on her own, I understand the kind of overwhelm that makes you want to throw your hands up and deal with a possible hacking situation later. Like, next week. Or maybe it will go away. But it doesn’t. It just gets worse, and then you’re blacklisted and can’t get website traffic.

Prevention is best, obviously. If you didn’t do that (or you did, but it failed), quick action to clean it up is the next best thing.

Scary evil hacked website

Free or affordable tools to monitor or protect your WordPress website

If you’re on a tight budget, there are some free or affordable tools out there that can help. The downside of free tools, though, is that they often handle only one aspect of security. Still, some security is better than none.


Wordfence is a popular security plugin for WordPress sites. Although its best plans come at a cost, Wordfence offers a free version that provides a good level of protection. This includes an endpoint firewall and a malware scanner. The firewall helps fend off the worst attacks, and the malware scanner can alert you when it detects something that’s managed to get through.


While Sucuri offers premium packages, its free site checker is an excellent tool for identifying potential threats. It scans your website for malware, website errors, and outdated software. If issues are found, you can enlist Sucuri’s help to fix them, starting from around $200 US.


Cloudflare is a performance and CDN service that also offers a solid line of defense against DDoS attacks, dangerous bots, and data breaches. Cloudflare’s free plan includes these security features, making it an affordable way to boost your site’s security. 

How professional website management and maintenance help prevent hacks

Just as cars need regular tune-ups to keep them running smoothly, there are a number of weekly, daily and monthly tasks that should be performed so that your website continues to support your business. Site maintenance and management tasks don’t involve nerd-level expertise (unless something goes wrong, anyway), so in theory anyone could handle it.

But what we have found is: most small business owners don’t regularly do maintenance.

Proper site management requires somewhere between eight and 12 hours per month, depending on the site. I know what you’re thinking: I could do so many “more important” things in that time. Or some variation on that theme. The problem is when ignoring it intersects with an opportunistic hacker (or some other obnoxious glitch that takes your site down).

Outdated software and plugins account for 30% of website vulnerabilities.


That’s why I feel strongly that professional website maintenance isn’t just a nice-to-have, but an absolute necessity for small businesses that may be more vulnerable than their mid and large-size counterparts. Not to mention far more time crunched.

Let’s cover reasons why professional maintenance is a key strategy for preventing your small business website from becoming low-hanging fruit for digital miscreants.

Regular Backups 

All solid site management plans begin with backups, stored in a secure location that is not in the same space as your website. In the event your site does get hacked, these backups ensure that you have a safety net.

Regular, automated backups keep your data safe. It’s like having a digital time machine – in case of a problem, you can go back to a time when things were just peachy. 

Regular Monitoring and Updating 

Professional website management involves consistent monitoring and updating of your site. Think of it as your website’s personal bodyguard, always keeping an eye out for any suspicious activity. When an update is available for your site’s platform or plugins, it is implemented, ensuring that your site is less vulnerable to attacks.

It’s important to note that, occasionally, a bad update is issued. That’s why the best website management services — AFV’s Site Care is one — personally check sites after each update, and can roll back to the site’s pre-update state if there’s a glitch.

Strong Security 

A good website management service provides security features that repel attacks – a firewall, for example. They’ll also often include frequent security scans, so you’d know pretty quickly if your site was compromised by malware. AFV has alerts set up to notify us immediately if malware is found, and tools that allow us to quickly remove it before it does further damage.

Professional website management and maintenance is all about comprehensive, proactive defense. Not simply stressing out about it or piecemealing it. It’s a combination of regular updates, strong security measures, frequent backups, quick response times, and expert advice. Most single-site plans run around $100/mo US for WordPress websites. It’s a small price to pay for peace of mind and expert eyes on your site every single day.

Around 60% of small businesses that suffer a cyber attack go out of business within six months.


The Bottom Line

Small businesses become prime targets for hackers when their owners are too busy, too stressed or too oblivious to keep a close eye on the ways their site can be compromised. The good news is that there are concrete steps you can take to significantly reduce the risk that your business website will suffer a hack. 

It’s not about making your website completely unhackable. That’s impossible. But you can make it less appetizing for hackers. Here’s a quick recap of the best ways to do that: 

  • Use strong passwords — Make sure all user accounts are secured with a strong password, and don’t share accounts.
  • Be cautious with free plugins and themes — They’re mostly OK, but they’re more likely to have issues you won’t know about until it’s too late (because they’re abandoned, and you wouldn’t be notified).
  • Make sure you have backups — Reliable automated daily offsite backups protect against hacking and the inevitable glitches. You can often set up backups on your own, but the tools professionals use for site backups are more reliable.
  • Keep plugins and themes updated — If you’ve hired a website management service, this is their #2 most important job. If not, ideally you should check daily for any security-related updates. That’s probably not realistic for busy “I wear all the hats” small business owners, though. Make a habit of logging in and checking for updates at least once a week.
  • Install Wordfence — If you aren’t using a service that provides monitoring and a firewall, install and configure Wordfence. Upgrading to a paid Wordfence plan is best, as you’ll receive protective updates more quickly.
  • Consider professional site management — The $100-ish you’ll spend every month will be worth the expertise you’ll gain and the time you’ll save. I might be biased, but I think Site Care is a great value for small businesses with WordPress websites.

Strengthening your small business website doesn’t have to be a monumental task. Yes, prevention takes a little time, or a little money. But it’s better than the alternative: Suffering through a hack and the resultant mess.

Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.

Kevin Mitnick