Website Security Checklist for Small Business

Small business websites often depend on managed hosting, plugins, contractors, and third-party services. The most useful security work is usually clear ownership, basic hardening, and repeatable checks.

• A simple checklist helps owners and vendors agree on who maintains each part of the site.
• Many common issues come from missed updates, weak admin access, expired certificates, or stale DNS records.
• Basic scanning can catch public configuration problems, while manual review is still needed for custom code and payment or account flows.

• Scans externally visible items such as HTTPS behavior, security headers, cookies, DNS records, and redirects.
• Provides evidence that can be shared with a developer, host, or agency.
• Helps monitor drift after launch or handover.
• Does not replace a manual penetration test, code review, account access review, or incident response process.

• No clear owner for domain renewal, DNS, hosting, and backups.
• Admin accounts do not use multi-factor authentication.
• CMS, plugins, or themes are not patched.
• Forms collect sensitive information without a documented handling process.
• Old staging sites or vendor records remain public.

• Keep an owner list for domain, DNS, hosting, email, analytics, payments, and CMS administration.
• Require multi-factor authentication for admin, hosting, registrar, and email accounts.
• Patch CMS, plugin, theme, and dependency updates on a regular cadence.
• Confirm backups are restorable, not just scheduled.
• Run a basic external scan after major updates, DNS changes, and website handover.