Website security: what a business actually needs
"Who would bother attacking my website? I've got nothing valuable on it." That's the line we hear most often when security comes up with business owners. And it's exactly the wrong assumption that almost every problem starts from.
The truth is that most attacks on a website don't pick their victims. There's no person who decided to come after you. There are automated programs, so-called bots, scanning the internet around the clock looking for sites with a door left open. A brand new site gets found and probed within hours, not months. The right question isn't "why would anyone attack me", it's "would my site survive a probe from some random bot?".
Let's look, without scare tactics and without needless jargon, at what having a secure website really means.
What attackers are after (and why it's often not what you'd think)
The goal is rarely "stealing your secrets". Far more often a compromised site is just a means to do something else:
- Sending spam or hosting scam pages without your knowledge, riding on your domain's reputation.
- Damaging your credibility: a storefront showing a "not secure" warning or an error screen pushes customers away in a second.
- Getting hold of your customers' data: addresses, emails, phone numbers, sometimes much more. Once that data is out, it doesn't come back.
- Holding you to ransom: locking your site or data and making you pay to get it back.
The point is that the damage is almost never just technical. It's commercial, and about trust. Recovering a compromised site takes time, but recovering the trust of a customer who saw their email end up where it shouldn't costs far more.
HTTPS is no longer optional
The padlock next to your site's address isn't a cosmetic detail. It means the connection between your customer's browser and your site is encrypted: what gets typed into a form, a password or a phone number, doesn't travel in the clear where someone could read it.
Today a site without HTTPS is flagged as "not secure" by browsers, penalised in search results and, quite simply, makes a terrible impression. It's the bare minimum, and it should be taken for granted in every project, not bolted on later. The important part, though, is that the certificate is valid and renews itself automatically: an expired certificate suddenly turns your site into a red warning screen, usually right when you're not paying attention.
The three most common weaknesses (and they're almost always trivial)
In the vast majority of cases no sophisticated attack is needed. Three very widespread oversights are enough.
1. Out of date software. Every site relies on software components, and those components get updates that, among other things, close holes discovered over time. A site left untouched for two years is a site with two years of known weaknesses, already documented, that bots know by heart. Most break-ins exploit exactly these old, already fixed holes, on sites where nobody ever applied the updates.
2. Weak access. A reused password, an obvious password, an admin panel anyone can reach without a second check. Two factor authentication, the one that asks for an extra code on top of the password, single-handedly shuts out almost all automated attempts. It's one of the most effective protections there is, and one of the most neglected.
3. Unprotected forms. The contact form is the door you deliberately open to the public, which is exactly why it's one of the most probed points. Without some defence it gets flooded with spam, used to send messages in your name, or used to try slipping malicious data into the site. You need anti-bot filters, limits on how many submissions are allowed, and proper validation of whatever comes in.
None of this is rocket science. It's basic hygiene. The problem is that "basic" doesn't mean "automatic": someone has to take care of it.
Customer data is a responsibility, not just an asset
The moment a site collects even a single email address, you're holding other people's data. That comes with two practical implications.
The first is to collect only what you genuinely need. Every piece of data you don't ask for is a piece of data you can't lose. The second is to protect what you keep: data stored in encrypted form, access limited to those who actually need it, no sensitive information left in places it shouldn't be (a public file, a log, a forgotten page).
There's a regulatory angle too, the GDPR, but even setting the law aside the reasoning stands on its own: your customers' data is the most delicate thing they entrust to you. Handling it with care is part of the service, not an optional extra.
Backups are the parachute nobody checks until they need it
A site can break for a thousand reasons that have nothing to do with an attack: a botched update, human error, a server failure. The difference between a one hour nuisance and a multi-day disaster comes down to one thing: having a recent backup and knowing it works.
The classic mistake isn't failing to make backups, it's making them and never once testing them. A backup you can't restore is a backup that doesn't exist. The sensible rule is simple: automatic, regular copies, kept somewhere separate from the site itself, and a periodic check that the restore actually works.
Security is a process, not a product
The most dangerous idea is to think of security as something you "do once and then it's done". It doesn't work that way. Software changes, attack techniques change, and a site that was secure last year may not be secure today without anyone having touched a thing.
Having a genuinely protected site means holding a few habits together over time: applying updates when they come out, correctly configuring the security headers that tell the browser what to allow, keeping an eye on unusual attempts, and having a clear plan for when something goes wrong. It's not flashy work, and that's precisely the point: when it's done well, you never notice it.
In practice
If you run a website or a web app and you can't confidently answer questions like "does the certificate renew on its own?", "when was the last update applied?" or "if the site disappeared tomorrow, how long would it take to bring it back?", it's probably worth running a check before a bot runs one for you.
We can look together at the state of your site today and tell you, no spin, where you're covered and where you're not. The quote is free, and the most important things to fix are often the simplest ones too.