“My business is too small to be hacked.” It is a comforting thought, and it is dangerously wrong. The UK Government's annual Cyber Security Breaches Survey consistently shows that small firms are attacked at least as often as large ones, because hackers do not target you personally — they run automated scanners against thousands of sites looking for a weak password, an expired certificate, an outdated plugin. Your site does not need to be important; it just needs to be vulnerable. This guide walks through the practical, non-technical security a UK SME actually needs: SSL, backups, updates, passwords, incident response and the legal obligations around data breaches.
The scale of the problem in the UK · The four threats you actually face · SSL: the padlock that builds trust · Backups: your safety net · Software updates · Passwords and access · UK GDPR and the ICO 72-hour rule · If your site is hacked · What UK security actually costs · Security as a trust signal · How Sitejet Builder covers the basics · FAQ
The 2025 Cyber Security Breaches Survey from the Department for Science, Innovation and Technology found that 43% of UK businesses experienced a cyber-security breach or attack in the previous twelve months. Among micro and small businesses the figure was still alarmingly high. The average direct cost to a small business was £3,000–£5,000; once you factor in lost customers, downtime and the cost of remediation, some incidents ran to tens of thousands.
Attackers do not read the trade press to find you. They run bots that scan IP ranges and random domain lists looking for common weaknesses — an unpatched WordPress plugin, a weak admin password, an expired SSL certificate that triggers a browser warning, an exposed /wp-admin/ endpoint. The economics are simple for them: one successful compromise out of ten thousand attempts pays for the bot farm. You do not need to be a bank; you just need to be the easiest target on the street.
The good news: basic website security is neither complicated nor expensive. Most of what matters in this guide ships with a good managed hosting plan. The goal is not to turn your site into a vault; it is to stop being the one front door on the high street left wide open.
Before we talk about fixes, it helps to know what you are protecting against. Four threat patterns account for the overwhelming majority of UK small-business incidents.
Attackers plant malicious code on your pages. The code might redirect visitors to a scam site, pop a fake e-commerce checkout, steal form data or install browser-hijacking extensions. Google detects this in Search Console and, on a visit, Chrome shows a bright red full-screen warning. Your business is effectively offline until cleaned up — and Google can take days to lift the flag even after cleanup.
Your compromised site (or domain) is used to send e-mails that impersonate you. Customers get fake invoices, fake delivery notifications, fake VAT reminders from “HMRC” — pointing at links that steal passwords or payment card details. Even when you are a victim rather than the source, the reputational damage with your own customers is severe and lasting.
Someone changes the content of your homepage — political messages, offensive material, or a simple “hacked by” banner. Embarrassing, damaging to trust, and a clear signal to every visitor that you do not take security seriously.
If your site collects personal data via contact forms, booking systems or an online shop, that data is valuable. Names, e-mails, phone numbers, order history and payment details are all targets. Under the UK GDPR you have 72 hours to report a notifiable personal data breach to the Information Commissioner's Office (ICO), and fines for inadequate protection can reach 4% of global turnover or £17.5 million, whichever is greater.
You have seen the small padlock in your browser's address bar. That padlock says the site uses an SSL certificate (technically now TLS, but everyone still calls it SSL). The connection between the browser and the server is encrypted — scrambled so that nobody between can read what is sent back and forth. For a UK small-business website, SSL is not optional.
Almost certainly not. Extended Validation certificates cost £100–£300/year and require paperwork to prove your legal identity. They once showed a green company name in the address bar; all major browsers removed that visual treatment in 2019–2020, making EV largely pointless for SME purposes. Let's Encrypt DV (Domain Validation) gives you identical encryption and the identical padlock. Reserve EV only if a B2B customer procurement form explicitly demands it.
Imagine waking up to find the site you spent weeks building has vanished. A server failure. A botched update. An attack. An accidental deletion by a freelancer with admin access. Without a backup you are starting from scratch. With a backup you are live again in minutes.
| Attribute | Why it matters |
|---|---|
| Automatic | Humans forget. Computers do not. Manual backups eventually stop. |
| Daily minimum | For most sites, once a day is enough. An active online shop may want hourly. |
| Stored separately | A backup on the same server is a spare key inside the house. Ransomware encrypts both. |
| Retained for weeks | Some compromises are only noticed a week later. You need yesterday's backup and last month's. |
| Tested | An untested backup is a rumour. Periodically restore to a staging URL to prove it works. |
| Easy to restore | One-click rollback matters when you are panicking. |
Rebuilding from memory with no files to restore takes days or weeks. During that time the business is invisible online, enquiries dry up, and you may be paying a developer emergency rates to reconstruct content, product catalogues and order history. For an online shop, losing order records can also create legal issues with the Consumer Rights Act 2015 (refund windows) and HMRC (record-keeping obligations).
Sitejet Builder Hosting includes daily automatic backups stored off-server. Restore to any recent point in a few clicks. It is the kind of safety net you hope never to need — which is exactly when it is worth its weight in gold.
If your site runs on WordPress or another CMS, you have seen the notification badges: “5 plugin updates available”, “WordPress 6.x is ready to install”, “Your theme needs updating”. It is tempting to ignore them — the site looks fine and everything works. Here is why that is dangerous.
Most of those updates are security patches. They fix known vulnerabilities — weaknesses that have been publicly documented and that hackers are actively scanning for within hours of publication. An outdated WordPress plugin is one of the most common entry points for UK small-business site compromises. The National Cyber Security Centre (NCSC) lists “update software regularly” in its five-control Cyber Essentials scheme as one of the highest-impact controls a business can deploy.
A typical WordPress site runs 20–30 plugins. Each is written by a different developer, updated on a different schedule, and carries its own vulnerabilities. When a plugin stops being maintained — a common occurrence — it becomes a ticking time-bomb. Known weakness, nobody patching it, bots that know exactly how to exploit it.
This is where a builder like Sitejet has a genuine security advantage over WordPress. Because Sitejet generates static-like pages rather than building each page from a database on every request, the attack surface is dramatically smaller:
You focus on the business. They focus on keeping the server hardened.
Weak passwords remain the number-one way attackers get into websites. The NCSC regularly publishes the most common passwords found in breach dumps — password123, qwerty, letmein, football — and they appear year after year. Four rules will stop the vast majority of password-based attacks.
Same password across e-mail, hosting and CMS means one breach exposes everything. Use a password manager. Browsers have one built in; Bitwarden is a free, open-source standalone alternative. It remembers the passwords so you do not have to.
A 20-character passphrase like purple-elephant-rides-bicycles-daily is harder to crack than P@55w0rd! and much easier to remember. Modern NCSC guidance specifically recommends length over arcane character rules.
2FA adds a second step at login — usually a six-digit code from an authenticator app or a security key. Even if someone steals your password they cannot get in without the second factor. Enable 2FA on your hosting account, the CMS login, e-mail, domain registrar and any payment platform. App-based 2FA (Authy, Google Authenticator, 1Password) is stronger than SMS, which can be SIM-swapped.
Only give website access to people who genuinely need it. If a freelance designer helped build the site, change the password once the project is finished. If a team member leaves, revoke access the same day. The fewer accounts with admin rights, the fewer opportunities something goes wrong.
Security is not only about preventing attacks — it is also about responding correctly when one happens. Under Article 33 of the UK GDPR, a controller has 72 hours from becoming aware of a personal data breach to notify the ICO, where the breach is likely to result in a risk to affected individuals.
The ICO has a dedicated online breach-reporting tool (ico.org.uk/for-organisations/report-a-breach). You will need to describe the nature of the breach, the categories and approximate number of individuals, the likely consequences, and the measures taken or proposed to mitigate. If you do not yet have the full picture, report what you know and update later — late or incomplete reporting is still better than none.
If the breach is likely to result in high risk to individuals (for example, payment card details or a large batch of login credentials were exposed), Article 34 requires you to notify affected individuals without undue delay. That is beyond ICO notification and is a separate obligation. The fuller framework sits in our UK GDPR for business websites guide.
Even with good practices, breaches happen. Acting quickly and calmly makes all the difference.
A common misconception is that website security requires a large budget. For a small business, the true cost is surprisingly modest — especially if you choose the right platform from the outset.
| Security measure | DIY (self-hosted WordPress) | Managed (Sitejet Builder) |
|---|---|---|
| SSL certificate | Free (Let's Encrypt) to £80/yr (premium) | Free — included |
| Daily backups | £30 – £100/yr (plugin or service) | Free — included |
| Security plugin / firewall | £60 – £200/yr (Wordfence, Sucuri) | Not needed — managed server security |
| Malware scanning | £50 – £150/yr | Not needed — static-like architecture |
| Software updates | Your time (ongoing) | Handled by hosting |
| Hosting | £36 – £120/yr | £60/yr (£5/mo) |
| Estimated annual total | £180 – £650+ | £60 |
The DIY route is perfectly viable if you are comfortable managing updates, plugins and configurations yourself. For most UK SME owners who would rather spend time running the business, managed hosting that includes security by default is the simpler and cheaper option. The full economics across year one, two and three are in our true cost of running a website guide.
Website security is not only about preventing attacks. It is also about what the site says to every visitor who lands on it. Security is a trust signal — and trust converts visitors into customers.
When a customer sees the padlock and https:// in the address bar, they feel safe. They are more likely to fill a contact form, subscribe to a newsletter, and enter card details. When they see “Not secure”, they leave. Research consistently shows over 80% of UK online shoppers will abandon a purchase if they believe the site is not secure.
A site that loads quickly, works on mobile and is always available gives the impression of a well-run business. A site that is frequently down, slow to load or occasionally shows error messages creates doubt: is this business still trading? can I trust them with my order?
A custom .co.uk domain rather than a free subdomain. A professional e-mail ([email protected]) rather than a Gmail account. An SSL padlock. A privacy policy. An accessibility statement. These are small details that add up to the picture of a business that takes itself — and its customers — seriously. For the bigger picture, see small business website essentials.
Sitejet Builder is designed so that website security is something you do not have to think about. Everything below is included in every Sitejet Builder Hosting plan at £5/month.
/wp-admin/-style target for bots. The editor is accessed through a separate, authenticated interface.In short, Sitejet Builder gives you the security posture that would cost several hundred pounds a year to replicate on a self-managed platform, all included in the base price.
Q: Do I need an SSL certificate for my small business website?
A: Yes. SSL encrypts the connection between your site and visitors and protects submitted data. Without it, browsers show “Not secure” and scare customers away. Google also uses HTTPS as a ranking signal. With Sitejet Builder hosting, a free Let's Encrypt certificate activates automatically.
Q: How often should I back up my website?
A: Daily is the recommended minimum for any business site. If you run an active online shop with new orders through the day, look for hourly or transactional backups. Sitejet Builder includes daily automatic backups in the base price.
Q: What should I do if my website gets hacked?
A: Take it offline. Change all passwords. Restore from a clean backup. Check for stolen personal data and, if there is risk to individuals, report to the ICO within 72 hours. Contact your hosting provider for support and investigate the root cause before going live again.
Q: Is managed hosting more secure than doing it myself?
A: In most cases yes. The provider handles server security, OS and web-server updates, firewall configuration and backup schedules. Patches land promptly because a professional is accountable for them. On a self-managed WordPress install, those responsibilities fall on you — usually on a Sunday afternoon when something breaks.
Q: How much does website security cost for a UK SME?
A: On self-hosted WordPress, budget £180–£650/year for SSL, backups, firewall, malware scanning and time. On managed Sitejet Builder hosting it is included in the £60/year price. Either way, the cost is much less than the cost of a breach.
Q: Does website security affect my Google ranking?
A: Yes. HTTPS is a confirmed ranking signal. Beyond that, if your site serves malware, Google flags it with a full-screen warning that effectively blocks traffic — and the flag can take days or weeks to lift after cleanup.
Q: Should I pay for Wordfence or Sucuri?
A: If you run self-hosted WordPress, yes — one of them is a sensible investment. If you run a managed static-like builder such as Sitejet, no — the attack surface is small enough that paid WordPress plugins add cost but little meaningful protection.
Q: Does Cyber Essentials certification make sense for a micro-business?
A: Only if you sell into government, NHS or larger corporates that require it. For a sole-trader florist, the basic controls (strong passwords, 2FA, patched software, daily backups, SSL) give you the substantive benefit without the £300–£400 certification fee.
Q: How do I tell customers about a breach without making it worse?
A: Be specific and factual. Explain what happened, what data was affected, what you are doing to fix it, and what they should do (change a password, watch for phishing). UK consumers respond well to honest, quick communication and badly to silence followed by rumour. The ICO publishes a template notification you can adapt.
Q: Do I need cyber insurance?
A: For very small businesses it is often bundled into the existing professional indemnity or commercial package from providers like Hiscox or Superscript. Above £100k turnover, a dedicated cyber policy of £100–£500/year is usually proportionate and covers ICO legal fees, forensic response and business interruption.