At Robot Creative, we've been doing small business websites, marketing and branding for 22 years. We've seen the evolution of security for small business (SMB) websites from the very early days of the Internet, including a rise in hacked SMB websites which we have had to help recover and lock down. Small businesses do not have access to the same staffing and financial resources that a large corporation does. There is no CTO or CISO, and they probably can’t afford security tools (and wouldn’t know what to do with them in any case). But the good news is, SMBs usually have very simple website security requirements.
Unlike large corporations, small businesses are rarely hand-picked to be attacked by hackers with creative and relentless methods. Rather, they are subjected to automated attacks, and those are relatively easy to protect against using a few straightforward guidelines and tools.
Content Management Systems Come With Security Risks
One of the most vulnerable aspects of a website is the content management system (CMS) itself. Since the vast majority of small business websites are built in WordPress, they are highly vulnerable to automated attacks. But, other content management systems have similar concerns (and recommendations).
- Start with where it is hosted. A hosting company that is specific to WordPress will have automated security patches and updates. Other content management systems will have similar hosting and security options.
- Shared hosting can pose a risk because any one site on a shared server might be exploited, providing access to all of the other sites as well. However, the expense of a dedicated server just isn’t worth it for most SMBs. The hosts are pretty good at monitoring their server traffic and addressing breaches, and with proper backup procedures, you can always restore a site.
- Speaking of backups, this isn’t a security feature per se, but we do recommend using a host that stores nightly automated backups. This allows you to roll back to a version that isn’t exploited to recover your site, if needed. The alternative might be rebuilding a site from scratch because it’s almost impossible to “clean” a site that has been exploited. The cost can be as much or more than building a new site. Here at ROBOT, we always store a backup of the original website on our local servers as an extra precaution.
- Keep the CMS software up to date. Yes, you do want the latest version, always. Almost all version updates include critical security releases. Don’t wait on these even if the upgrade is costly, a hacked site will be far more expensive.
- What's the biggest exploit we have seen? Simple password attacks. It’s amazing how few people heed the advice to use strong passwords, but it’s critical. Passwords should also be unique to each product/service instead of using the same password in several places. It’s also important to truly understand all of the places that passwords are used on a website: 1) the domain management (typically where you purchased your website URL or name), 2) the hosting account, 3) the content management system might have a system owner and several content editors.
Functionality Increases Risk
Once you get a content management system on lock down, a typical marketing website has minimal security risk, but as you add functionality, the security risk increases. To be more clear: basic words and photos on the page do not make a site vulnerable. It’s things like forms, calendars, search fields, and plugins that “do” cool things that make a site more vulnerable. Anything that includes a button or allows “input” from the users of the website is probably a functional item that should be given some security consideration. Some of the most common issues we have seen, and how to resolve them:
- Almost all websites have some kind of content form, and a captcha on all forms, requiring the user to select photos with certain images or to type in scrambled numbers or letters, can prevent many automated attacks (and also reduce spam). Find those annoying and worried about user experience? There is something called a honeypot method that hides form fields on the page that users can’t see. If a bot fills it out, the software recognizes the attempted exploit and blocks the submission. Although the honeypot method boasts the best user experience, it may not provide the same level of protection as a captcha.
- Plugins are a regular source of trouble. Most plugins are third-party tools that add new functionality to a basic website. These can be visible to users, like calendars or social media feeds, but they may also be invisible, running silently in the background to support video integrations or increase page speeds. When selecting plugins, look for widely used, well-supported plugins that are endorsed by the content management platform itself. Make sure the tool is developed by a company and not “some dude” in Ukraine. We also avoid plugins that call out to other sites for any type of information. This requires a code review or scan to ensure that no external URLs are baked into the plugin.
Really Small Business or Limited Resources?
If all of the security is too overwhelming for smaller businesses, click-to-create website services (Squarespace, Wix) can provide a great framework without any of these headaches. These types of services have been around forever, but as the Internet evolves and matures, more and more of these options are becoming available. They are affordable, safe, simple to use and can be packed full of features that would be expensive to assemble for a custom site, especially with security and maintenance considered. If you have strong branding, you can easily overcome the “template” look and feel.
Monthly Subscription-based Websites Can Offset Risk
Most SMBs have fairly straightforward marketing website needs, and the website carries very little risk. However, for those needing more functionality or managing more risk (like e-commerce, customer portals or collection of sensitive customer data), businesses really need to consider the level of technical and security risk they are able to handle in-house. If there isn’t a C-level position for technology, small businesses should look to SaaS solutions for their functional needs. These might be third parties to their marketing website (where visitors leave the site to visit a portal or shopping site) or they might be fully hosted solutions like an e-commerce website in Shopify or Squarespace. There are also industry-specific solutions for most common industries. You pay higher monthly costs, but the upfront cost is typically minimal and leaves security issues to the provider, not the business.
Websites vs. Web-based Applications
We should also differentiate between a website and a web-based application. What we have described up to this point are websites. Web-based applications are software applications that have web access. A business sophisticated enough to be developing web-based applications should have security in mind as they are writing their first lines of code. Companies doing significant software development should have an in-house security expert or work with an outsourced partner to ensure that their software, network and data are all secure.
Understand Your Risk
No matter the scale or scope of a small business website, any project should begin with an understanding of what is actually at risk. If the website is compromised, will you just need to reinstall an older version, or will you have business operations, sales and customer data at risk? While news of ever-increasing attacks can cause fear and doubt, it is relatively easy to assess your risk and plan accordingly. When in doubt, hire a security consultant.
At Robot Creative, we have been building and maintaining websites for over 22 years. Please reach out to us if you have concerns about your website security or would like to discuss a new website.