Website security sounds like a topic for large corporations with their own IT department. In reality it hits small and medium-sized enterprises at least as hard, often harder, because there is rarely anyone with the time to look after it. Attacks on websites today are largely automated: programs scan the web around the clock for sites with known weaknesses and strike as soon as they find one, no matter whether a global corporation or a small workshop sits behind it. Germany's Federal Office for Information Security recently counted around 309,000 (BSI security report) new malware variants per day. The good news: the most effective protective measures are no secret science. Anyone who knows the basics and applies them consistently reduces their risk considerably. This article explains the five pillars of website security, shows the typical attacks and sums up what an SME should practically do, without jargon and without scaremongering.
Why Website Security Also Concerns SMEs
A widespread misconception goes: my website is too small to be interesting for attackers. Behind this lies the idea that someone deliberately decides to attack a particular site. That is usually not how it works. The bulk of attacks are automated and untargeted. Malware scans broad address ranges and checks whether a site has a known gap, runs outdated software or uses a weak password. Whether a famous name sits behind it is secondary. For the attacker, all that counts is whether the site can be hijacked, in order to send spam from it, infect further machines or redirect visitors to fraudulent pages.
The damage ultimately hits the company. A hijacked website can be offline for days, search engines may flag it as unsafe and drop it from results, customer data can leak and the good reputation suffers. For an SME that wins enquiries or sells through its website, that is not a marginal problem but a direct loss of revenue. On top of this comes the duty to handle personal data carefully. How to get this legally right is explored in our article on the GDPR website checklist. Security and data protection belong closely together here.
Why the human is the weak point
The Five Pillars of Website Security
Most successful attacks on SME websites use no sophisticated tricks but simply neglected basics. Five building blocks together form a solid foundation: up-to-date software, an encrypted connection over HTTPS, working backups, strong access and a pre-filter that catches known attacks. None of these points is sufficient on its own, yet in combination they reduce the risk markedly. The following cards give an overview before we go through each pillar in turn.
Updates
Keep core, themes and extensions current. Most attacks target long-known and long-closed gaps in outdated software.
HTTPS
A valid certificate encrypts the connection. Without HTTPS browsers warn visibly and trust drops.
Backups
Regular, off-site and tested backups are the safety net for when something does go wrong.
Strong Access
Long, unique passwords, two-factor authentication and as few high-privilege accounts as possible.
WAF
A web application firewall filters out typical attack patterns before they reach the actual application.
Monitoring
Regular checks of availability and anomalies ensure that problems are noticed early.
Pillar 1: Apply Updates Consistently
Updates are the most underrated and at the same time most effective protection. Software consists of many parts: the content management system, the design theme, extensions and the programming languages in the background. In all of these, security gaps are regularly discovered and closed by the makers through updates. The problem is that when an update is released, the gap becomes public knowledge too. Attackers then know exactly where to strike and deliberately search for sites that have not yet applied the update. An outdated extension is therefore an open door with a signpost.
In practice it rarely fails on knowledge but on everyday routine: nobody feels responsible, updates seem tedious, and the fear that an update might break something leads to postponement. This is exactly where a clear procedure helps. Updates belong scheduled, ideally first checked in a test environment and only then applied to the live site, always with a fresh backup beforehand. Anyone who cannot or does not want to carry out this ongoing maintenance themselves puts it in good hands. What reliable website care that takes on exactly these tasks looks like is described on a page of its own.
The golden rule for updates
Pillar 2: HTTPS as a Given
HTTPS ensures that the connection between the visitor's browser and your server is encrypted. Without this encryption, data such as a contact form or a login could be read or altered along the way. HTTPS is recognisable by the padlock symbol in the address bar and the https prefix. By now over 95 percent (Google Transparency Report) of browser traffic runs encrypted, and browsers warn visibly on unencrypted sites. A site without HTTPS today not only seems technically outdated but actively deters visitors and can cost enquiries.
The good news: setting up HTTPS is no longer a cost factor. Non-profit certificate authorities issue free certificates and renew them automatically, which with proper web hosting is usually already set up. It is important that all pages really are delivered over HTTPS, that requests to the unencrypted address are redirected automatically, and that no individual content such as images or fonts is still loaded unencrypted. Such mixed content otherwise triggers warnings and undermines the encryption.
Practical tip: keep an eye on the certificate
Pillar 3: Backups as a Safety Net
No protection is watertight, and that is precisely why backups matter so much. A backup is a complete copy of your website with which an earlier state can be restored. It helps not only after an attack but also when an update goes wrong, a file is deleted by accident or the server fails. Three properties are decisive here and are often forgotten. A backup must be created regularly, it must sit in a different place than the website itself, and it must be demonstrably restorable. A backup that only sits on the same server is often just as affected as the site in a serious incident.
- Automatic and regular, not just created once by hand
- Stored off-site, separate from the site's web server
- Several points in time, so you can go back to a clean state
- Tested, meaning restored on a trial basis at least once
- Covering the database too, not just the files
- Documented, so it is clear in an emergency who does what
The most common mistake is relying on a backup that has never been tested. Only in an emergency does it then turn out that the copy is incomplete or cannot be restored. A backup is only worth as much as the certainty that it works. That is why an occasional trial run is part of it. Anyone having a site reworked or moved should think of backups from the outset, as we show in the article on the website relaunch.
Pillar 4: Create Strong Access
Many website takeovers begin not with a technical gap but with a guessed or stolen password. Automated programs try thousands of common combinations in a short time or use credentials that leaked in earlier data breaches. A short or reused password is thus one of the biggest weaknesses of all. The remedy is long, unique passwords used nowhere else, best managed in a password store so you do not have to remember them.
The greatest additional protection comes from two-factor authentication. Here the password alone is no longer enough; a second factor is requested as well, such as a one-time code from an app. Even if a password falls into the wrong hands, access stays locked. Just as important is keeping the number of accounts with far-reaching rights small. Not everyone who maintains content needs full administrative permission. Fewer high-privilege accounts mean less attack surface.
Often overlooked: old accounts and default logins
Pillar 5: WAF as a Pre-Filter
A web application firewall, WAF for short, is a protective layer that sits between visitors and your website. It inspects incoming requests and filters out known attack patterns before they reach the actual application. You can picture it as a doorkeeper who turns away obviously harmful requests while normal visitors pass through unhindered. A WAF catches many automated attacks, such as attempts to inject malicious code or to try login combinations en masse, and thereby reduces the load that reaches the website at all.
The right framing matters: a WAF does not replace the other pillars but complements them. It is no reason to neglect updates, because it can only recognise patterns known to it. As an additional layer, however, it is very valuable, precisely because it catches a large share of the automated background noise every website on the web is exposed to. Whether a WAF makes sense and in what form depends on the hosting and the protection needs and can be set up and maintained well within ongoing care.
Typical Attacks and How to Guard Against Them
Knowing the most common types of attack helps you understand why the five pillars work as they do. Most attacks on SME websites can be assigned to a few recurring patterns. The overview below briefly explains for each how an attack unfolds and which basic measure protects best. It does not replace an individual review but makes clear that the base measures are not theory but act against very concrete threats.
| Attack | How it unfolds | Best protection |
|---|---|---|
| Exploiting known gaps | Automated search for outdated software with a publicly known weakness | Consistent updates of core and extensions |
| Password attack | Mass trying of passwords or use of leaked credentials | Strong, unique passwords and two-factor |
| Injecting malicious code | Manipulated inputs to subvert the database or page | Up-to-date software plus WAF as a pre-filter |
| Malware and defacement | Altered content, spam pages or redirects on the hijacked site | Updates, strong access and regular monitoring |
| Overload by requests | A flood of automated requests brings the site down | Protective layer at the hosting and WAF |
| Phishing with your brand | Fraudsters use your name for fake pages or emails | HTTPS, awareness and vigilant monitoring |
What SMEs Should Practically Do
From the basics a manageable list can be derived that an SME without its own IT department can implement or commission. The core is not to do everything perfectly at once but to handle the most important points reliably and repeatedly. Security is not a one-off project you tick off but a habit that must be anchored in the operation. The following order has proven itself in practice (Projekterfahrung).
- Ensure HTTPS for the whole site and check redirects
- Set up automatic, off-site backups and restore one on a trial basis
- Switch all logins to strong, unique passwords and enable two-factor
- Establish a fixed rhythm for updates, always with a backup beforehand
- Remove unused accounts, extensions and old data
- Consider a protective layer or WAF, matching the hosting
- Monitor availability and anomalies regularly
- Clarify responsibility so that someone acts in an emergency
The most important thought
For many SMEs the most realistic path is to hand these tasks over to ongoing care rather than squeezing them in themselves. That way responsibility stays clear, updates and backups happen reliably, and in an emergency there is a contact who reacts quickly. Which further building blocks belong to a reliable website is shown by our services at a glance. Security in the end is not a product you buy but a process you maintain, and therein lies the real work.