Small Business Web Security Tips- Common Vulnerabilities and How to Fix Them

/ Small Business, Website Development, WordPress / ic_admin

Information Security is not something that only large companies with sensitive customer data have to worry about. Website security is a critical part of information technology doctrine no matter the size of your business or website.

Many small business owners view their website as an insignificant, irrelevant property that would be of no interest to hackers and bad actors. This couldn’t be further from the truth. Small business websites are a primary target for bad actors for precisely this reason. Hackers know that websites like these are often very poorly secured making them low hanging fruit.

“Many small business owners view their website as insignificant, irrelevant and of no interest to hackers and bad actors. This couldn’t be further from the truth.”

So what will a hacker go after? What are they looking to gain? Below are three of the most common vulnerabilities that we at InterActive Circle find on client sites and what you can do right now to make sure your site isn’t an easy target for hackers.

1. Poor Passwords

Sure, low-strength passwords are easy to remember for you, but they are also easy to breach for a hacker. In a “brute force attack”, a hacker uses a program to enter alphanumeric combinations into the password fields on your website admin login, a company email account, or any other place they could access potentially valuable information. The program repeats until it finds the correct combination.

What can you do?

Use strong passwords and store them in a secure location such as a password vault. Do NOT keep passwords in an unencrypted file or cloud document! Using password manager programs such as LastPass, Zoho Vault, or Keeper are all very worthwhile investments!

Password Managers allow you to:

  • Seamlessly & securely store every new password you create
  • Recall the password on demand for autofill
  • Share login information with other team members that you plug into your password manager program

    Zoho Vault password manager dashboard

2. Not Using Spam Filters

Most website owners have become accustomed to spam messages coming through their contact form. They have resigned themselves to them simply being a fact of life online. You may think the offers for viagra alternatives or Russian language emails may be harmless and simply delete them. Be wary though, as there are many more bot-driven scams that can leverage an unsecured contact form to attempt to breach your data security. The most common such scam is the “Phishing” scam which involves getting a recipient to open a link that will lead to a website that will install a malicious payload on the user’s machine or network. This can serve as an access point to sensitive customer information, financial information, and more. It could also be a ransomware attack which would lock down a user’s computer or network until a ransom is paid to a hacker.

What can you do?

Contact form spam and scams comes from bots that crawl the web looking for unsecured contact forms. You can avoid most of the danger from these schemes by using a robust spam filter on your website’s contact forms. Standard captcha plugins are not enough these days. You will also want to use a honeypot as well as a security question that a bot will not be able to answer. Examples include filling in a missing letter or a simple arithmetic question.

**Important note: These security measures are not meant to replace antiviral software and email security protocols. Never open any link if you are not 100% confident in the source.

3. Failure to Use Multi-Factor Authentication

Even strong passwords get hacked from time to time. Brute force attacks can still breach them and passwords may fall into the wrong hands for a multitude of reasons. This is where multi-factor authentication, often called two-factor authentication or 2FA, comes in. Two factor authentication requires a second verification step after you’ve entered a password before you access a platform. This can be a security question, receiving a verification code to a second device, or entering a 2FA code from an authenticator application.

You may see these extra steps as an annoyance, but trust us, nothing is more annoying than removing malware from your website!

What can you do?

Always opt into two factor authentication every time a program or platform asks you to. Using an authenticator application such as Authy or Google Authenticator makes the 2FA process very easy! Install the application on your mobile device and begin loading TOTP codes for the various accounts you want to enable 2FA on. The application will automatically generate a time sensitive 2FA code every time you open it which will be your key to logging in to your account. Since this code is unique to your device and application, the only way a bad actor could access your account is by having your device in hand. This is what makes it an extremely effective security measure.


These measures amount to a baseline for all websites. This is NOT a substitute for a professionally executed info security strategy. InterActive Circle offers a WordPress Security Suite service designed to address small business’s needs. An experienced info security technician will review your website and hosting accounts to audit for vulnerabilities, correct mistakes, and apply state of the art security programs. We aim to give you peace of mind and lasting security hardening as well as a support resource should anything go wrong. The Security Suite is included in our Website Hosting & Maintenance packages, but can also be purchased as an a la carte service for clients on third party hosting platforms.

We’d love for you to contact us and learn more about it!