Website Security—a Complete Action Plan for Small Businesses

We hope you like reading this blog post.
If you would like the Boost IT team to just do your WordPress website security for you, click here.

Google blacklists tens of thousands of websites every day, effectively wiping out all organic traffic to those affected sites. If your small business relies on its website, having a Website Security Action Plan is essential.

Website Security - engage bot fight mode

There’s an increasing prevalence of stronger, more sophisticated bad bots online.

The term “bad bot” can bring a smile on (although not so much when used to describe pieces of code designed to do very bad things on the internet).

Even if you’re not a techie, there are lots of simple measures you can deploy to reduce your security risks.

Why Is Website Security Important?

Small businesses are often building websites with software from multiple third parties. Remember the ‘90s where businesses had to employ people to code almost every element of their website? And pay for even basic changes, like a misspelt word?

Now WordPress makes adding website content and functionality simple for anyone in the office to do. There is an enormous selection of free plugins at your fingertips. You can add Instagram feeds, signup forms, and much more, literally within seconds.

So, on one hand, thousands of free plugins to make all your business’s online marketing easier. On the other, they create vulnerabilities connected to how you deliver content to your website visitors.

There is much more surface area on your website which bad bots can attack. Squarespace, WordPress and other content management systems have plugins and themes—built by a myriad of sources—that you can simply click to install in seconds. The average number of plugins on a WordPress site varies. Most small businesses that come to us have about 20 to 30.

Security agencies and government websites get hacked. No website is 100% secure. Having a plan that includes regular backups, is hugely important.

Over Time, Website Software Does Get Soft. And Stale.

Stale software can attract bots like flies

When you install plugins, they may be popular, and have optimised, secure code. Two years later—if the plugins are not maintained and updated—they can resemble the ghouls from Thriller—a stinky mess that bad bots can sniff out and swarm towards. Curious about what they look like? Here’s a list of known WordPress security flaws.

If every software developer coded perfectly (to highest standards and maintained their code vigilantly), we could throw 100 plugins on every website and not worry. No one is perfect.

Cyber criminals are now far more sophisticated on how they build automated bots at scale. Imagine your website being a conduit for a bad bot to hijack a customer’s device while they’re browsing online FAQs or as they’re filling out one of your website forms.

With greater scrutiny by government and media around data, privacy and security, small business owners should be proactive with their website software.

Create a Website Security Action Plan

In your plan, consider the following tips:

  • Use strong passwords that are unique for each element of your website, including cPanel/hosting account, FTP, the WordPress admin area, database.
  • Don’t give anyone Administrator access unless you absolutely have to.
  • Use a reputable website hosting provider that takes security seriously.
  • Ensure you respond immediately to Warning and Error emails received from Google Search Console.
  • Regularly assess plugins. Do you need them? Are they being regularly maintained by the developer?
  • Regularly update all website software, including WordPress, plugins, and the theme. Don’t forget to update PHP (carefully) as well.
  • Remove any unused plugins and themes to reduce maintenance overheads (and speed up your website).
  • Have a regular backup plan that includes storing a copy of your website files and database somewhere else, additional to storage on your web hosting server.
  • Add fine-tuning website security plugins, like Wordfence.
  • Ensure that your website has a valid SSL certificate, a padlock in the address bar of your browser, and your website address starts with “https” rather than “http”.
  • Add Google ReCAPTCHA to your contact forms—it’s a free service that makes it difficult for bots to fill out your forms.
  • Use Cloudflare to make it more resource intensive and costly for perpetrators to deploy bad bots.


Need assistance with a security plan?

We are experts in cybersecurity. Talk to us today.

Google Search Console

Google Search Console helps you measure your website’s search traffic and performance as well as find and fix issues (including security problems). If you haven’t already done so, set it up now for your website. Watch this 10-minute video to learn how.

Shared Website Hosting

On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Our small business website hosting options work 24/7 to protect your website and data, by:

  • continuously monitoring our network for suspicious activity
  • having a simple back up and restore process
  • having tools in place to prevent large scale DDOS attacks
  • keeping server software and hardware up to date to prevent hackers from exploiting security vulnerabilities in an old version.


If you have a WordPress website, the most popular security plugin Wordfence, will help protect against attackers.

Wordfence Firewall & Scan leverages a constantly updated Threat Defense Feed, alerting you quickly about security issues or if your website is compromised. A Live Traffic view gives you real-time visibility into traffic and hack attempts on your website.

Tailor your security, notifications, response, and much more with the “All Options” section.


SSL won’t stop bad bots, but it will protect visitors on your website from spying and attacks from hackers (who may try to steal their contact details like phone numbers, email addresses and credit card information).


Google ReCAPTCHA adds a background test to check if it’s a human or bot filling out a website form. If your contact and other forms don’t have any security, hackers can “trick” it to sending out SPAM. Another fast way that your business’s website can be added to blacklists.


Most web hosting companies integrate the free Cloudflare content delivery network option with share hosting plans. You do have to turn it on and set it up correctly. Cloudflare’s main function is to improve website performance and page loading speed. However, there are also useful security features.

Cloudflare how to enable fight bot mode

You can enable fight bot mode for free under Firewall > Settings.

Need help?

We offer a wide range of security services at afforable prices to ensure that your data is always secure. Learn more by clicking here.

We will happily answer your WordPress Website Security questions. Call us on 1300 494 142 or say

Get started with a cybersecurity audit.

We offer both IT and Website security services. 

Contact us