Zum Inhalt springen
Website, shop & visibility from one source
Sicherheit

Website Security Basics for SMEs

Website security for SMEs explained clearly: updates, HTTPS, backups, strong access and a WAF, typical attacks and what you should practically do.

12 min read Website-SicherheitHTTPSBackupsUpdatesKMU

Website security sounds like a topic for large corporations with their own IT department. In reality it hits small and medium-sized enterprises at least as hard, often harder, because there is rarely anyone with the time to look after it. Attacks on websites today are largely automated: programs scan the web around the clock for sites with known weaknesses and strike as soon as they find one, no matter whether a global corporation or a small workshop sits behind it. Germany's Federal Office for Information Security recently counted around 309,000 (BSI security report) new malware variants per day. The good news: the most effective protective measures are no secret science. Anyone who knows the basics and applies them consistently reduces their risk considerably. This article explains the five pillars of website security, shows the typical attacks and sums up what an SME should practically do, without jargon and without scaremongering.

Website security: the five pillarsShrink the attack surface before an attack causes harm1UpdatesKeep currentApply core, themesand plugin updatespromptlyClose the gaps2HTTPSEncryptedValid certificate,secure connectionon every pageSignal trust3BackupsRestorableRegular, storedoff-site andtestedSafety net4AccessLock the doorsStrong passwords,two-factor, fewaccountsLimit access5WAFPre-filterBlock attacksbefore they reachthe siteFilter attacksSecurity is not a product but an ongoing processUpdates, HTTPS, backups, strong access and a pre-filter work together

Why Website Security Also Concerns SMEs

A widespread misconception goes: my website is too small to be interesting for attackers. Behind this lies the idea that someone deliberately decides to attack a particular site. That is usually not how it works. The bulk of attacks are automated and untargeted. Malware scans broad address ranges and checks whether a site has a known gap, runs outdated software or uses a weak password. Whether a famous name sits behind it is secondary. For the attacker, all that counts is whether the site can be hijacked, in order to send spam from it, infect further machines or redirect visitors to fraudulent pages.

The damage ultimately hits the company. A hijacked website can be offline for days, search engines may flag it as unsafe and drop it from results, customer data can leak and the good reputation suffers. For an SME that wins enquiries or sells through its website, that is not a marginal problem but a direct loss of revenue. On top of this comes the duty to handle personal data carefully. How to get this legally right is explored in our article on the GDPR website checklist. Security and data protection belong closely together here.

Why the human is the weak point

According to the Verizon Data Breach Investigations Report, around 68 percent (Verizon DBIR) of the incidents examined involved a human element, such as a weak password, a careless click or a missed update. Technology alone is therefore not enough. It is just as much about clear procedures and good everyday habits.

The Five Pillars of Website Security

Most successful attacks on SME websites use no sophisticated tricks but simply neglected basics. Five building blocks together form a solid foundation: up-to-date software, an encrypted connection over HTTPS, working backups, strong access and a pre-filter that catches known attacks. None of these points is sufficient on its own, yet in combination they reduce the risk markedly. The following cards give an overview before we go through each pillar in turn.

Updates

Keep core, themes and extensions current. Most attacks target long-known and long-closed gaps in outdated software.

HTTPS

A valid certificate encrypts the connection. Without HTTPS browsers warn visibly and trust drops.

Backups

Regular, off-site and tested backups are the safety net for when something does go wrong.

Strong Access

Long, unique passwords, two-factor authentication and as few high-privilege accounts as possible.

WAF

A web application firewall filters out typical attack patterns before they reach the actual application.

Monitoring

Regular checks of availability and anomalies ensure that problems are noticed early.

Pillar 1: Apply Updates Consistently

Updates are the most underrated and at the same time most effective protection. Software consists of many parts: the content management system, the design theme, extensions and the programming languages in the background. In all of these, security gaps are regularly discovered and closed by the makers through updates. The problem is that when an update is released, the gap becomes public knowledge too. Attackers then know exactly where to strike and deliberately search for sites that have not yet applied the update. An outdated extension is therefore an open door with a signpost.

In practice it rarely fails on knowledge but on everyday routine: nobody feels responsible, updates seem tedious, and the fear that an update might break something leads to postponement. This is exactly where a clear procedure helps. Updates belong scheduled, ideally first checked in a test environment and only then applied to the live site, always with a fresh backup beforehand. Anyone who cannot or does not want to carry out this ongoing maintenance themselves puts it in good hands. What reliable website care that takes on exactly these tasks looks like is described on a page of its own.

The golden rule for updates

First backup, then update, then quickly check that everything works. These three steps in fixed order prevent the most common mishaps and ensure that, in case of doubt, an update can be reversed at any time.

Pillar 2: HTTPS as a Given

HTTPS ensures that the connection between the visitor's browser and your server is encrypted. Without this encryption, data such as a contact form or a login could be read or altered along the way. HTTPS is recognisable by the padlock symbol in the address bar and the https prefix. By now over 95 percent (Google Transparency Report) of browser traffic runs encrypted, and browsers warn visibly on unencrypted sites. A site without HTTPS today not only seems technically outdated but actively deters visitors and can cost enquiries.

The good news: setting up HTTPS is no longer a cost factor. Non-profit certificate authorities issue free certificates and renew them automatically, which with proper web hosting is usually already set up. It is important that all pages really are delivered over HTTPS, that requests to the unencrypted address are redirected automatically, and that no individual content such as images or fonts is still loaded unencrypted. Such mixed content otherwise triggers warnings and undermines the encryption.

Practical tip: keep an eye on the certificate

A certificate has an expiry date. If it lapses, the browser shows a clear warning that scares visitors off. Automatic renewal removes this risk but should still be checked occasionally. A simple reminder, or a care service that monitors it, prevents the unpleasant surprise.

Pillar 3: Backups as a Safety Net

No protection is watertight, and that is precisely why backups matter so much. A backup is a complete copy of your website with which an earlier state can be restored. It helps not only after an attack but also when an update goes wrong, a file is deleted by accident or the server fails. Three properties are decisive here and are often forgotten. A backup must be created regularly, it must sit in a different place than the website itself, and it must be demonstrably restorable. A backup that only sits on the same server is often just as affected as the site in a serious incident.

  • Automatic and regular, not just created once by hand
  • Stored off-site, separate from the site's web server
  • Several points in time, so you can go back to a clean state
  • Tested, meaning restored on a trial basis at least once
  • Covering the database too, not just the files
  • Documented, so it is clear in an emergency who does what

The most common mistake is relying on a backup that has never been tested. Only in an emergency does it then turn out that the copy is incomplete or cannot be restored. A backup is only worth as much as the certainty that it works. That is why an occasional trial run is part of it. Anyone having a site reworked or moved should think of backups from the outset, as we show in the article on the website relaunch.

Pillar 4: Create Strong Access

Many website takeovers begin not with a technical gap but with a guessed or stolen password. Automated programs try thousands of common combinations in a short time or use credentials that leaked in earlier data breaches. A short or reused password is thus one of the biggest weaknesses of all. The remedy is long, unique passwords used nowhere else, best managed in a password store so you do not have to remember them.

The greatest additional protection comes from two-factor authentication. Here the password alone is no longer enough; a second factor is requested as well, such as a one-time code from an app. Even if a password falls into the wrong hands, access stays locked. Just as important is keeping the number of accounts with far-reaching rights small. Not everyone who maintains content needs full administrative permission. Fewer high-privilege accounts mean less attack surface.

Often overlooked: old accounts and default logins

An orphaned account of a former employee or a never-changed default password is a favourite point of entry. Check regularly who has access, remove accounts no longer needed and change preset credentials immediately after setup. The standard user name, too, should not be the most obvious one.

Pillar 5: WAF as a Pre-Filter

A web application firewall, WAF for short, is a protective layer that sits between visitors and your website. It inspects incoming requests and filters out known attack patterns before they reach the actual application. You can picture it as a doorkeeper who turns away obviously harmful requests while normal visitors pass through unhindered. A WAF catches many automated attacks, such as attempts to inject malicious code or to try login combinations en masse, and thereby reduces the load that reaches the website at all.

The right framing matters: a WAF does not replace the other pillars but complements them. It is no reason to neglect updates, because it can only recognise patterns known to it. As an additional layer, however, it is very valuable, precisely because it catches a large share of the automated background noise every website on the web is exposed to. Whether a WAF makes sense and in what form depends on the hosting and the protection needs and can be set up and maintained well within ongoing care.

Typical Attacks and How to Guard Against Them

Knowing the most common types of attack helps you understand why the five pillars work as they do. Most attacks on SME websites can be assigned to a few recurring patterns. The overview below briefly explains for each how an attack unfolds and which basic measure protects best. It does not replace an individual review but makes clear that the base measures are not theory but act against very concrete threats.

AttackHow it unfoldsBest protection
Exploiting known gapsAutomated search for outdated software with a publicly known weaknessConsistent updates of core and extensions
Password attackMass trying of passwords or use of leaked credentialsStrong, unique passwords and two-factor
Injecting malicious codeManipulated inputs to subvert the database or pageUp-to-date software plus WAF as a pre-filter
Malware and defacementAltered content, spam pages or redirects on the hijacked siteUpdates, strong access and regular monitoring
Overload by requestsA flood of automated requests brings the site downProtective layer at the hosting and WAF
Phishing with your brandFraudsters use your name for fake pages or emailsHTTPS, awareness and vigilant monitoring

What SMEs Should Practically Do

From the basics a manageable list can be derived that an SME without its own IT department can implement or commission. The core is not to do everything perfectly at once but to handle the most important points reliably and repeatedly. Security is not a one-off project you tick off but a habit that must be anchored in the operation. The following order has proven itself in practice (Projekterfahrung).

  1. Ensure HTTPS for the whole site and check redirects
  2. Set up automatic, off-site backups and restore one on a trial basis
  3. Switch all logins to strong, unique passwords and enable two-factor
  4. Establish a fixed rhythm for updates, always with a backup beforehand
  5. Remove unused accounts, extensions and old data
  6. Consider a protective layer or WAF, matching the hosting
  7. Monitor availability and anomalies regularly
  8. Clarify responsibility so that someone acts in an emergency

The most important thought

No single measure makes a website impregnable, and no one can assure security. But the combination of up-to-date software, HTTPS, tested backups, strong access and a pre-filter lowers the risk so far that the vast majority of automated attacks come to nothing. Anyone who maintains these basics continuously is far better positioned than average and thus a less attractive target.

For many SMEs the most realistic path is to hand these tasks over to ongoing care rather than squeezing them in themselves. That way responsibility stays clear, updates and backups happen reliably, and in an emergency there is a contact who reacts quickly. Which further building blocks belong to a reliable website is shown by our services at a glance. Security in the end is not a product you buy but a process you maintain, and therein lies the real work.

This article is based on data from: BSI (German Federal Office for Information Security report), Verizon (Data Breach Investigations Report), Google Transparency Report (HTTPS encryption) and our own projects. Figures marked (Projekterfahrung) are based on our own website projects and are experience values. The values named can vary by system, hosting and use, and a specific level of security cannot be assured.