Most websites that get hacked in 2026 aren't victims of sophisticated attackers — they're picked off by automated bots scanning for the same handful of misconfigurations. This is the practical security checklist we ship on every client site to stop 95% of the traffic that's trying to break in.
What actually attacks small business websites in 2026
- Credential stuffing — bots trying leaked passwords against your login.
- Outdated CMS plugins — the single most common WordPress breach vector.
- Exposed API keys — pushed to public repos or shipped in client code.
- Form spam and abuse — cheap for attackers, expensive for you.
- Supply-chain attacks — a compromised npm package quietly exfiltrating data.
You're not being targeted. You're being scanned. That's actually good news — the defenses are cheap and well-known.
HTTPS and security headers (the free wins)
- 1HTTPS everywhere with HSTS and preload — HTTP should 301 to HTTPS, never serve.
- 2Content-Security-Policy — the single most effective XSS defense.
- 3X-Frame-Options: DENY or CSP frame-ancestors — prevents clickjacking.
- 4X-Content-Type-Options: nosniff — stops MIME-type confusion attacks.
- 5Referrer-Policy: strict-origin-when-cross-origin — a sensible default.
- 6Permissions-Policy — lock down camera, mic, geolocation unless you need them.
Authentication and access
- Never roll your own auth. Use a vetted provider (Supabase Auth, Clerk, Auth0, Cognito).
- Enforce 2FA on every admin account — SMS is better than nothing, TOTP is better than SMS, passkeys are best.
- Rate-limit login attempts and password reset endpoints.
- Store passwords with bcrypt or argon2 — never MD5, never SHA-256 alone.
- Use role-based access control — no one logs in as admin for daily work.
"The two cheapest security wins in 2026: strong headers and mandatory passkeys. Together they neutralize most opportunistic attacks."
Dependencies and supply chain hygiene
- 1Automated dependency scanning (Dependabot, Snyk, or npm audit in CI).
- 2Pin exact versions in your lockfile — no floating ^ ranges in production.
- 3Review new dependencies before adding — check maintainer, downloads, last publish date.
- 4Fewer dependencies is always safer. Delete anything you don't need.
- 5Scan client-side bundles for accidentally shipped secrets before every deploy.
Backups, monitoring and incident response
- Automated daily database backups stored off-platform — test the restore quarterly.
- Point-in-time recovery for anything containing user data.
- Uptime monitoring with alerting — Better Stack, Pingdom, or UptimeRobot.
- Error tracking (Sentry) — you can't fix what you can't see.
- A one-page incident response plan: who to call, how to rotate secrets, what to communicate.
Want a security audit of your live site?
Request a free security reviewFrequently asked questions
Do I need a WAF (Web Application Firewall)?
For most small business sites, Cloudflare's free tier gets you 80% of the value. Upgrade to a managed WAF when you handle payments, PII at scale, or attract targeted attacks.
How often should I run a security audit?
Automated scans on every deploy. Manual review quarterly. Full penetration test annually or after any major architectural change.
