Website security for SMEs — what really matters and what is just show

Website security for SMEs — what really matters and what is just show
Table of contents 10 sections

What really happens when an SME site gets hacked

Most ideas of a "hack" come from films: someone sitting in front of a dark screen, targeted, with a political or commercial agenda. The reality with SME sites is less spectacular and precisely for that reason more widespread. Automated bots scan the open internet day and night for outdated software, weak passwords, and unsecured forms. Your local plumbing contractor, the family hotel with 38 rooms, and the tax adviser in the regional capital are not targets — they are simply what the bots find first.

What concretely happens then can be summed up in four patterns.

First, the site becomes a spam slingshot. Attackers attach a script that sends thousands of mails through your server. Consequence: your domain lands on blacklists, your own business mails are no longer delivered, the hosting provider blocks your account.

Second, the site gets redirected. Visitors click on your search result and end up on a gambling, pharmaceutical, or phishing page. Google notices and puts your domain on its own warning list, which greets visitors with a red blocking page.

Third, data is siphoned off. On sites with forms, customer areas, or online shops: names, mail addresses, possibly payment data. Consequence: GDPR notification duty within 72 hours, possible fine proceedings, loss of trust among those affected.

Fourth, the site is encrypted — ransomware. That is rarer on small WordPress sites but quite common on larger CMS installations. Consequence: no own site until the backup is restored.

Stefan, a plumbing and heating contractor in Carinthia with 14 employees, experienced variant one last year. For three days his business mails were on SPF and Microsoft blacklists, which for a business whose order intake runs through mail was considerably more expensive than restoring the site itself. Caused by a contact-form plugin that had not seen an update in a year and a half.

The five fundamentals every SME site needs

Before you invest in premium security tools, ask yourself: are the five basic disciplines covered. In roughly three quarters of hack incidents on SME sites, one of these five pillars was the open door[1].

  1. HTTPS and a valid SSL certificate. Mandatory since 2018, automatic with serious hosts. A red lock symbol in the browser is a first trust problem before the security topic even begins.
  2. Up-to-date software and updates. CMS core, theme, plugins, PHP version, database version. Outdated components are the most common entry point.
  3. Reliable backups. At least daily, separated from the running site, restorable within 60 minutes in an emergency.
  4. Strong logins and two-factor authentication. For every account with write rights — no leeway, not even for the secretary's son who "just quickly" swaps the photo.
  5. Form and bot protection. Captcha, honeypot fields, rate limits. Without these three measures, every contact form is an open mailbox for spammers and phishing.

If you have these five points covered cleanly, you are not unhackable — but you are no longer part of the automated mass sieve that causes most incidents.

HTTPS — the obviousness check

HTTPS and the SSL certificate are the entrance ticket. Without these, modern browsers mark you as "not secure", which visitors immediately sense and Google downgrades in the ranking.

With serious hosts, a valid SSL certificate today is free and set up automatically — usually via Let's Encrypt, which is renewed every 90 days. If you have a host that charges extra for SSL, you have the wrong host.

What you can check yourself: open your site, look at the lock symbol in the address bar. If it says "Not secure" or the lock is crossed out, your site has a concrete problem you should fix today, not next week.

Deeper notes on SSL certificate types and configuration are gathered in the SSL and HTTPS overview for SMEs. For this overview it suffices: HTTPS is mandatory, costs nothing, is set up in under an hour — if you do not have it, you do not have a security discussion, you have a setup gap.

Up-to-date software — why "still running" is the most expensive security feeling

The most common statement in security audits: "the site has been running for three years without problems". Translated: no one has touched it, no one has applied updates, no one has checked whether the deployed plugins are still being maintained.

Software security works like this: someone finds a vulnerability in a CMS, a theme, a plugin. The vulnerability is reported, the vendor publishes an update. Within hours, bots start specifically searching for sites that have not yet installed the update. Those who do not update in the first week after such a release cycle have a concrete risk window.

Three routines help.

First, an update rhythm. With WordPress at least monthly, with critical security updates within 48 hours. With kit-builder sites, the provider handles the kernel — but not every third-party tool or external script.

Second, an inventory list. Which plugins, themes, tools run on your site. If you cannot answer that yourself, your designer can — if no one can, that is the actual problem.

Third, quiet pruning. Plugins that have stopped updating should be removed. Even if they "still work" today — vulnerabilities are found later, the vendor no longer patches.

Backups — the only insurance that really pays

When something happens, the backup is the difference between three hours of downtime and three weeks of crisis mode. The theory is clear, practice often looks different.

Three backup mistakes that occur in every second SME setup.

Backup on the same server. If the server falls, the backup falls with it. That is not a backup, it is a copy. A real backup lies on a separate system — automatic with the host, ideally additionally in a cloud outside your own hosting provider.

Backup that has never been tested. You only know your backup works when you have restored it. A test restore on a staging environment every six months separates the real backups from the pseudo-backups.

Backup that is too old. Daily backups are the minimum, hourly with active shops or booking systems. If you lose five bookings in a day, you have lost — even if yesterday's backup works.

Strong logins and two-factor — the most common entry point

Over 80 percent of all automated site attacks try to log in via weak passwords and known default users. Bots try thousands of combinations per second — "admin/admin", "admin/12345", the top 100 of known password lists.

Three measures suffice to almost completely exclude this class of attacks.

First, user names that are not "admin". The default user in WordPress is the first stop for every bot — using your own user name halves the attack surface.

Second, passwords with genuine complexity. At least 16 characters, generated by a password manager, never reused. "Summer2024!" no longer belongs in any site.

Third, two-factor authentication for all accounts with write rights. Authenticator app, no SMS code — SMS can be intercepted, the authenticator cannot. For WordPress there are free plugins; for kit-builder providers, 2FA is usually available in account settings.

If you implement only one point from this article, it should be two-factor authentication for your admin access. Effort: ten minutes. Effect: it keeps practically all automated attacks from outside off your site.

Spam, bots, forms — what should stay at the door

A contact form without protection is an open mailbox for spam bots. Within weeks of launch, dozens of automated messages per day arrive, destroying your overview and in the worst case overlaying real enquiries.

Three protection mechanisms that work together.

Captcha or invisible bot detection. reCAPTCHA from Google is widespread but has data-protection implications (third-country data transfer). Alternatives such as hCaptcha or Cloudflare Turnstile are more GDPR-friendly.

Honeypot fields. A hidden form field that only bots fill in. If the field contains a value, the input is discarded. Invisible to real visitors, a reliable trap for bots.

Rate limits. If three forms arrive from one IP address in ten seconds, that is not an eager customer — that is a bot. Such submissions are temporarily blocked.

Combining all three reduces the spam quota by around 95 percent. Without any of them, you wonder why real enquiries drown in the spam swamp.

Who is actually responsible? Hosting models compared

The question of who is responsible for what is particularly tricky with security. Four typical setups.

Kit-builder providers such as Wix or Squarespace. Here the provider takes care of server security, SSL, CMS updates, infrastructure backups. What stays with you: strong logins, 2FA, data-protection configuration, third-party apps. If you fear self-responsibility, you are well placed — at the cost of less adaptability.

Shared WordPress hosting at a discount provider. You share the server with hundreds of other sites, the provider does infrastructure backups, all software updates are your job. That is the model with the highest self-responsibility and at the same time the most common neglect.

Managed WordPress hosting. The provider takes over updates, backups, performance optimisation — at higher monthly costs between 25 and 80 euros. Significantly higher security level than discount hosting, in exchange for limited configuration freedom.

Custom CMS on your own hosting. Self-built site, own server or VPS. Full control, full responsibility. This model only makes sense if someone internally or externally takes over ongoing maintenance — otherwise the control freedom becomes a burden, not an advantage.

Which model suits you depends less on price than on who is responsible for ongoing security discipline in everyday life.

What many SME managers underestimate: security is not just a question of good will but a legal obligation. Article 32 GDPR demands "appropriate technical and organisational measures" to protect personal data. Translated: HTTPS, secure logins, backups, updated software are not voluntary but documentation-mandatory.

In the event of an incident — a data leak, a hack with data outflow — you have 72 hours to report it to the relevant authorities. Anyone who does not react in that window or cannot demonstrate their previous protective measures is not only in technical crisis mode but also in legal trouble.

Andrea, owner of a 38-room hotel in the Carinthian mountains, experienced this last year from the outside — another hotel in the region was affected, the data-protection authority asked across the sector. With her, everything was documented: SSL, backups, 2FA, regular updates. The enquiry was answered in 20 minutes. With a competitor, correspondence dragged on for several weeks because basic security evidence had to be produced retroactively.

The GDPR interface has an unpleasant side effect: what you do not handle in advance costs a multiple in the event of an emergency — lawyer, forensics, crisis communication. Anyone who has handled the five fundamentals has already drawn the argumentation line in almost every incident.

What you can do yourself — and when a professional hand is due

Four disciplines are realistically achievable by non-technicians in a few hours.

First, secure all admin accesses with two-factor. Duration: 30 minutes per account, one-off. Effort: an authenticator app download.

Second, replace weak passwords. With a password manager (1Password, Bitwarden, KeePass) invest an hour, work through all access points. Bonus: you do not need to remember a single one.

Third, check your own backup. Ask the host what is backed up how often and how a restore works. If after a four-eyes conversation you do not know how your site can be restored in hours in an emergency, you have asked the right question.

Fourth, check forms. Captcha active, honeypot built in — if not, catch up in half an hour.

What needs a professional hand: vulnerability scan, plugin audit on no-longer-maintained components, server security configuration (firewall, Fail2Ban, HTTP headers), building a monitoring system that warns you before something happens. Realistic fees: between 400 and 1,500 euros for a one-off security audit with a measures list, depending on scope.

If your site also has bookings, shop functions, or a customer login area, the one-off investment in an audit is almost always the cheapest thing you can do in security terms.

What is configured securely today is not automatically secure in eighteen months. Plugins are no longer maintained, vulnerabilities are discovered, new attack patterns emerge. Security is therefore not a project with an end point but an ongoing discipline — half an hour once per quarter, or an ongoing maintenance contract with your designer.

Frequently Asked Questions

How likely is my SME site to be attacked at all?

Automated bot scans reach practically every publicly accessible site multiple times daily. The question is not whether your site is scanned but whether on that scan an open door is found. Anyone covering the five fundamentals has closed the open doors.

Is an SSL certificate enough as a security measure?

No, SSL only encrypts the connection between browser and server. It does not protect against weak passwords, outdated software, or unsecured forms. SSL is the entrance ticket, not security itself.

How often should I back up my website?

At least daily for a regular SME site, hourly with active shops or booking systems. The backup must lie separately from the main server and be tested regularly. A never-restored backup is only an assumption that it works.

What does a professional security audit cost for an SME site?

Realistic range between 400 and 1,500 euros for a one-off audit with a vulnerability scan, plugin check, and measures list. Recurring maintenance under contract ranges between 50 and 200 euros per month, depending on site complexity.

Am I automatically safe with a kit-builder like Wix or Squarespace?

Safer than with neglected discount hosting, but not automatically completely. The kit-builder provider takes care of infrastructure and software updates; you remain responsible for strong logins, 2FA, data protection, and third-party apps. If you leave everything on default settings, you still have gaps.

What do I have to do legally after a hack incident?

If personal data may be affected: notification to the data-protection authority within 72 hours, inform the affected persons, document all measures before and after the incident. In parallel, restore the site, identify the cause, close the vulnerabilities. Without legal accompaniment this rarely goes well.

What you can do today

Three steps that together take under an hour: check the lock symbol on your site, set up 2FA for your admin access, send the host a mail asking "how often is my backup created, how do I restore it in an emergency". Anyone doing these three steps today has a measurably better security posture than half of all Austrian SME sites. For the wider context of web-design discipline in which security sits as one piece, the overview for regional businesses ties the pieces together.

What is the next step?