QUICK ANSWER
A small business website security checklist should cover: valid SSL certificate, HTTP security headers (HSTS, CSP, X-Frame-Options), cookie consent compliance, SPF/DKIM/DMARC email records, no unnecessary open ports, no exposed sensitive files, and regular automated scanning.
Working through this checklist will address the most common security weaknesses found on UK small business websites. Each item includes what to check, why it matters, and how to fix it.
Your site must load over HTTPS on every page, with no exceptions. Check that your SSL certificate is current (not expired), covers all subdomains you use, and is issued by a trusted certificate authority. Verify that both yourdomain.co.uk and www.yourdomain.co.uk redirect to a single HTTPS address. Most hosting providers offer free certificates through Let's Encrypt.
The Strict-Transport-Security header tells browsers to always use HTTPS for your site, even if someone manually types "http://". Without it, an attacker on the same network can downgrade the connection to HTTP and intercept data. A minimum setting of max-age=31536000 (one year) is recommended. Once you've confirmed everything works over HTTPS, consider submitting your domain to the HSTS Preload List for additional protection.
This header prevents your site from being loaded inside a frame on another website. Without it, attackers can use a technique called clickjacking — loading your site invisibly behind a fake interface to trick visitors into clicking things they didn't intend to. Set this to DENY or SAMEORIGIN. Learn more about this and other headers in our guide to HTTP security headers.
CSP controls which scripts, styles, and resources your site is allowed to load. It's one of the most powerful defences against cross-site scripting (XSS) attacks, where an attacker injects malicious scripts into your pages. Even a basic CSP that restricts script sources to your own domain provides significant protection. Start simple and tighten gradually.
This single-word header (nosniff) stops browsers from trying to guess the type of content being delivered. Without it, a browser might execute an uploaded file as a script even if your server labelled it as an image. It's one line of configuration and prevents a class of content-sniffing attacks.
Under UK PECR, non-essential cookies must not be set until the visitor gives informed consent. This means your consent banner must load before any analytics, advertising, or tracking scripts execute. Test by loading your site in an incognito browser window and checking the browser's cookie storage — there should be no tracking cookies present before you click "Accept". Many sites fail this because their tag manager loads before the consent banner renders.
All cookies should have the Secure flag (only sent over HTTPS) and sensitive cookies like session tokens should have the HttpOnly flag (not accessible to JavaScript). Without the Secure flag, cookies can be intercepted on HTTP connections. Without HttpOnly, a cross-site scripting attack could steal session cookies and take over user accounts.
Sender Policy Framework is a DNS record that lists which mail servers are authorised to send emails from your domain. Without it, anyone can send emails pretending to be from your business. A basic SPF record looks like v=spf1 include:_spf.google.com ~all (if you use Google Workspace). Check that your SPF record includes all legitimate email senders and ends with -all (hard fail) rather than ~all (soft fail).
DomainKeys Identified Mail adds a cryptographic signature to your outgoing emails, proving they genuinely came from your domain and haven't been modified in transit. Most email providers (Google Workspace, Microsoft 365) can generate DKIM keys for you. Enable it in your email provider's admin console and add the provided DNS record.
DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication checks. Start with a monitoring policy (p=none) to see what's happening, review the reports, then move to p=reject once you've confirmed all legitimate email passes. A DMARC policy of "none" is a common finding on security scans — it provides visibility but no actual protection.
Your server should only expose the ports it needs: 443 (HTTPS) and 80 (HTTP, redirecting to HTTPS). Common findings on small business servers include open database ports (3306, 5432), admin panels (8080, 8443), and remote access (22). Close or firewall anything that doesn't need to be publicly accessible. You can check your open ports with a free security scan.
Check that common sensitive files aren't accessible to the public. This includes .env files, .git directories, wp-config.php backups, database dumps, and configuration files. Try navigating to yourdomain.co.uk/.env and yourdomain.co.uk/.git/config — if you see content rather than an error page, you have an exposure. Fix this by adding deny rules to your server configuration.
When directory listing is enabled, visitors can see every file in a folder that doesn't have an index page. This can expose backup files, uploaded documents, and internal resources. Test by navigating to a directory on your site that doesn't have an index file — you should see a 403 Forbidden error, not a list of files. Disable it in your web server configuration (Options -Indexes in Apache).
Even with all the above protections, things can go wrong. Maintain regular, automated backups of your website files and database. Store backups in a separate location from your web server — if your server is compromised, backups stored on the same machine are compromised too. Test your restore process periodically. A backup you haven't tested restoring is just a file, not a recovery plan.
This is the single item most likely to prevent a breach. Update your CMS, plugins, themes, server software, and any dependencies as soon as security patches are released. If you run WordPress, enable automatic updates for minor releases and check weekly for plugin updates. Remove any plugins or themes you're not actively using — they're often forgotten and become attack vectors.
Going through this list manually is time-consuming, and some items (like port scanning or cookie auditing) require technical tools. A security scanner automates most of these checks and produces a prioritised report. Run one now to see how your site scores, then use the results to work through any gaps.
For more detail on any item, explore our guides on how to secure a website from hackers, what website security scanning is, and what a security check looks for.
Free scan with instant results and full PDF report.
Free Security Scan