SME Website Security: 10-Point Cyber-Defence Playbook

This is the practical cyber-defence perspective: which attacks target SME websites, how to stop them, and what it costs when it goes wrong. For the GDPR Article 32 compliance perspective (the legal "appropriate measures" framing and AP fine cases), see the separate guide GDPR Article 32 website security: compliance checklist.

Why an SME website is a target

The assumption that "we're too small to be interesting" no longer works. Website attacks are almost entirely automated: bots scan the whole IPv4 range for vulnerable WordPress versions, open admin pages, and weak passwords. They don't differentiate by company size.

The Dutch numbers:

• Three in four Dutch businesses faced cybercrime attempts.
• 77 percent of Dutch SMEs were hit at least once in two years.
• Average direct cost per incident: €270,000.
• The WordPress ecosystem saw 11,334 new vulnerabilities in 2025, 42 percent more than in 2024.
• 88 percent of web attacks involve stolen or weak credentials (Verizon DBIR 2025).

The good news: most attacks are stopped by basic hygiene. These 10 points cover the vast majority of the automated-attack volume. No technical expertise required, no budget required, about 30 minutes per item.

Want to know where you stand first? Run a free scan and see within two minutes which items in this checklist already pass.

1. SSL certificate (HTTPS)

An SSL certificate encrypts traffic between your website and visitors. Without SSL, anyone on the same network can read passwords, form data, payment information.

Check:

• Does the address bar show a lock icon?
• Does your URL start with https://?
• Does http://yoursite.com automatically redirect to https://?
• Is the certificate not expired? (Click the lock icon to see the expiry date.)

Fix:

Most hosts offer free SSL via Let's Encrypt. With providers like TransIP, Antagonist, and Strato, you can enable it with a click in your control panel. Set up an HTTP-to-HTTPS redirect, otherwise your site is reachable on both.

2. CMS and software updates

WordPress, Joomla, Drupal, and other CMSes release security updates regularly. Every outdated version is an open door. In 2025 11,334 new vulnerabilities were found in the WordPress ecosystem, a 42 percent increase year over year. 88 percent of web attacks involve stolen credentials (Verizon DBIR 2025).

Check:

• Is your CMS running on the latest version?
• Are automatic updates enabled for minor security releases?
• Have you hidden the CMS version number? (By default WordPress exposes this in page source.)

Fix:

Log in to your admin panel and install available updates. In WordPress: Dashboard > Updates. Enable automatic minor updates. Schedule a monthly slot to check for major updates manually.

3. Strong passwords

The admin password is the front door of your website. A weak password (companyname123, welcome01, admin) is cracked in seconds by automated brute-force attacks.

Check:

• Is your admin password at least 16 characters?
• Does it contain a mix of letters, digits, and symbols?
• Do you use a unique password for each site?
• Do you avoid sharing passwords via email or WhatsApp?

Fix:

Use a password manager like Bitwarden (free) or 1Password. Generate a random password of at least 16 characters. Change today if yours is short or predictable.

4. Security headers

Security headers are instructions your web server sends with every page. They tell the visitor's browser what is and isn't allowed. Without them, your site is more vulnerable to attacks like XSS and clickjacking.

The headers you need:

• Content-Security-Policy (CSP): restricts which scripts and resources can load
• X-Content-Type-Options: prevents MIME-type confusion attacks
• X-Frame-Options: blocks your site from being iframed elsewhere
• Strict-Transport-Security (HSTS): forces HTTPS even if a user types HTTP
• Referrer-Policy: limits information sent when clicking outbound links
• Permissions-Policy: disables camera, microphone, and location access by default

Fix:

On most hosts, headers are set via an .htaccess file (Apache) or server config (Nginx). WordPress users can use a plugin like "Headers Security Advanced & HSTS WP". Not sure which you're missing? Scan your site and you'll see directly. You can also use our open-source @trustyourwebsite/security-headers tool to check headers from your CI pipeline.

5. Change the admin URL

By default, the WordPress login page is at /wp-admin or /wp-login.php. Attackers know this and target their brute-force attacks at those paths. Millions of login attempts hit default admin paths daily.

Check:

• Is your admin URL still the default (/wp-admin, /administrator, /wp-login.php)?
• Do you see many failed login attempts in your logs?

Fix:

Change the login URL with a plugin like WPS Hide Login (WordPress) or equivalent for your CMS. Choose a URL that's not guessable but that you can remember. Combine this with rate-limiting login attempts (items 3 and 6 also help here).

6. Two-factor authentication (2FA)

A strong password is good. A strong password plus a second factor is much better. With 2FA, an attacker also needs your phone or authenticator app.

Check:

• Is 2FA enabled for all admin accounts?
• Are you using an authenticator app (Google Authenticator, Authy) instead of SMS?
• Do staff with admin access also have 2FA enabled?

Fix:

WordPress: install a plugin like "Two Factor Authentication" or "Wordfence". Choose an authenticator app over SMS (SMS is vulnerable to SIM-swapping). Enable 2FA for every account with admin rights. Takes five minutes; makes brute-force attacks virtually impossible.

7. Clean up plugins and themes

Every plugin and theme is a potential vulnerability. Unused plugins that don't get updated are the biggest risk. Of the 11,334 WordPress vulnerabilities in 2025, the overwhelming majority were in plugins and themes, not core. More on vulnerable WordPress plugins.

Check:

• Are all plugins and themes updated to the latest version?
• Have you removed plugins you no longer use? (Deactivating is not enough.)
• Do you only download plugins from the official repository or trusted developers?
• Are you using nulled (illegally copied) plugins or themes? They almost always contain malware.

Fix:

Go to your plugin list. Remove everything you don't actively use. Update what remains. Check whether plugins are still maintained: if the last update was more than a year ago, find an alternative.

8. Backups

A backup is your last resort when things go wrong. Hacked, accidentally deleted, server failure: without a backup you start from zero. See also what to do when your website is hacked.

Check:

• Are backups taken automatically?
• How often? (Daily is the minimum for active sites.)
• Are backups stored separately from your live site? (Not on the same server.)
• Have you ever tested a restore?

Fix:

Most hosts offer automatic backups. Check that it's enabled and how long backups are retained. For WordPress, plugins like UpdraftPlus (free) work well. Store backups in the cloud (Google Drive, Dropbox) and test a restore at least once per quarter.

9. File permissions

File permissions determine who can read, write, or execute files on your server. Wrong permissions let attackers modify files, upload malware, or read your configuration.

Check:

• Directories at 755 and files at 644?
• wp-config.php (WordPress) at 400 or 440?
• Directory listing disabled? (Type yoursite.com/wp-content/uploads/ in your browser. If you see a file list, this is wrong.)

Fix:

Connect via FTP or your host's file manager. Check the permissions of your root, wp-config.php, and uploads folders. Most FTP clients (FileZilla) let you change permissions via right-click. When in doubt, ask your host to set standard safe permissions.

10. Monitoring and alerts

You can only respond to a problem once you know it exists. Many hacked sites are only discovered weeks later, when Google has already flagged them as unsafe.

Check:

• Is Google Search Console set up? (Google warns you about security problems.)
• Are you notified if your site goes offline?
• Do you have a security plugin that detects suspicious activity?
• Do you periodically check that your domain has working SPF/DKIM/DMARC to prevent spoofing?

Fix:

Set up Google Search Console (free). Use an uptime monitor like UptimeRobot (free up to 50 monitors). WordPress users: install Wordfence or Sucuri for realtime security monitoring. Set DMARC on your domain so no one can spoof email from your business.

The Digital Trust Center framework

The Dutch Digital Trust Center (DTC) summarises good SME cyber hygiene in 5 basic principles: inventory your vulnerabilities, choose safe defaults, run updates, restrict access, prevent malware. The 10 controls above map directly to those five principles.

Also run the free DTC Basisscan Cyberweerbaarheid for an objective baseline of where you stand.

Cyber-defence is also GDPR compliance

The practical measures in this guide overlap heavily with what GDPR Article 32 requires for "appropriate technical and organisational measures". If you have these 10 items in order, you sit at a defensible level for most SME processing.

For the legal explanation (which Article 32 category each check covers, which fines the AP has issued, what "appropriate" means for your processing), see the sister guide GDPR Article 32 website security: compliance checklist.

Is your site showing as "Not secure" in the browser? See how to fix that.

How are you scoring?

Walk through the 10 items above. Every one you can tick makes your site more secure.

• 8-10 points: your site is well secured. Keep updates and backups current.
• 5-7 points: serious gaps. Address the missing items this week.
• Fewer than 5: your site is at active risk. Start today with SSL, updates, and passwords.

Want to be sure?

A checklist is a good start, but you want to know what you cannot see: hidden vulnerabilities, missing headers, outdated software. You won't find that by looking at your own site.

Scan your website free and get a security report in two minutes. No account, no commitment.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice tailored to your situation.