A compromised business website is not just a technical problem — it's a brand problem, a legal problem, and potentially a revenue problem. A site defaced with malware warnings in Google Search loses customers immediately. A site serving malware to visitors can trigger legal liability under state privacy laws. A site taken offline by a ransomware attack represents real lost business for every hour it's down.
The good news is that most business website compromises are preventable. They follow predictable attack patterns that a properly hardened hosting environment stops cold. The following 10-point checklist covers the controls that matter most — not a theoretical list of every possible security measure, but the specific items that address the attack vectors responsible for the overwhelming majority of business website incidents.
Run through this checklist for your current site. If you can't answer "yes" to every item, you have specific gaps to close.
SSL/TLS Certificate — Enforced HTTPS Site-Wide
Every page on your website must be served over HTTPS, enforced by a valid SSL/TLS certificate. This is not optional in 2026 — browsers flag HTTP sites as "Not Secure," Google deprioritizes them in search results, and any form submission over HTTP transmits data in plaintext. Your certificate should be from a recognized Certificate Authority (Let's Encrypt is free and widely supported), auto-renewing (expired certificates cause browser warnings that kill visitor trust), and enforced with an HTTP-to-HTTPS redirect at the server level. Also enable HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
Web Application Firewall (WAF)
A WAF sits between the internet and your web server, inspecting incoming requests and blocking malicious patterns — SQL injection attempts, cross-site scripting payloads, path traversal attacks, and known exploit signatures. A WAF is not a nice-to-have for business websites; it's the primary defense against the automated scanners that probe every public website constantly. Cloudflare, Sucuri, and AWS WAF are the most common providers. Many managed hosting plans include WAF as part of the stack. If yours doesn't, add one. The cost is $20–$200/month depending on the provider and traffic volume — negligible compared to the cost of a breach.
Daily Backups Stored Offsite
Your website backup must be: daily (or more frequent if your site changes daily), stored in a separate location from the hosting environment (a compromised server means a compromised backup if they're co-located), retained for at least 30 days, and tested. "Tested" means you've actually run a restore from the backup and verified the site came back correctly. A backup you've never tested is not a backup — it's a theory. If your host offers backups in the same environment as your site, add a separate backup to cloud storage (Amazon S3, Backblaze B2, or similar).
Correct File and Directory Permissions
Misconfigured file permissions are one of the most common paths attackers use to escalate access on a compromised hosting account. Directories should be set to 755 (owner can write; everyone else can read and execute). Files should be 644 (owner can read/write; everyone else can read only). Configuration files containing credentials (wp-config.php, .env, database configuration files) should be 600 or 640 — readable only by the owner. Publicly accessible directories should never be writable by the web server process unless specifically required by the application, and even then only for the specific directory that needs it.
Automated Malware Scanning
Malware on business websites is often dormant for days or weeks after initial compromise — attackers inject code that phones home or harvests visitor data silently while the site appears normal. Automated malware scanning detects these injections before they cause visible damage or Google blacklisting. Sucuri SiteCheck, Wordfence (for WordPress), and server-side tools like ClamAV or Imunify360 provide continuous or scheduled scanning. Your hosting environment should scan at least daily and alert immediately on detection. If your host doesn't provide this, add Sucuri's managed platform or a WordPress security plugin with active monitoring.
Login Hardening — Admin URL, Rate Limiting, CAPTCHA
The default admin login URL for WordPress (/wp-admin), Joomla (/administrator), and other common CMS platforms is the first target for brute-force bots. Change the admin login URL to a non-default path. Implement rate limiting that blocks IPs after a defined number of failed login attempts (5–10 is standard). Add CAPTCHA or challenge-response to the login form. Disable XML-RPC if you're not using it — it's a common vector for WordPress brute-force attacks that bypasses login page protections. These controls together eliminate the majority of credential-stuffing and brute-force attacks against your site.
Two-Factor Authentication for Hosting Panel and CMS Admin
Compromised hosting panel credentials — cPanel, Plesk, Cloudways, or your cloud provider console — give an attacker complete control of your hosting environment. Enable two-factor authentication (2FA) on every admin account: your hosting panel, your CMS admin account, your domain registrar, and your DNS provider. Authenticator apps (Google Authenticator, Authy) are more secure than SMS-based 2FA. This single control stops virtually all credential-stuffing attacks that use stolen passwords from data breaches — a password alone is not enough to access the account.
Software Updates — CMS, Plugins, Themes, Server Software
The majority of WordPress compromises exploit known vulnerabilities in outdated plugins and themes — vulnerabilities with published patches that the site owner simply never applied. Keep your CMS core, all plugins, all themes, PHP version, and any server-side software (Nginx, Apache, MySQL) current. Enable automatic updates for WordPress core and plugins where possible. Audit your plugin list and remove any plugins that are no longer maintained (no updates in 12+ months is a warning sign). On self-managed VPS or dedicated servers, establish a monthly patching cadence at minimum — weekly for critical security patches.
Content Delivery Network (CDN) with DDoS Protection
A CDN serves your website's static content from edge nodes geographically distributed around the world, which improves load speed for visitors and conceals your origin server's real IP address. The IP masking matters for security: if attackers can't identify your origin server, they can't target it directly with DDoS attacks or scanning. Cloudflare's free tier provides CDN, basic DDoS mitigation, and WAF capabilities. Paid tiers add advanced DDoS protection and enhanced WAF rules. For any business website with consistent traffic or public visibility, Cloudflare or an equivalent CDN should be in front of your origin server.
Security Headers — CSP, X-Frame-Options, HSTS, Referrer-Policy
HTTP security headers are server-level directives that tell browsers how to behave when rendering your pages — they prevent entire classes of attacks at the browser layer. Content-Security-Policy (CSP) restricts which external resources the browser loads, blocking most cross-site scripting attacks. X-Frame-Options prevents clickjacking. X-Content-Type-Options stops MIME-type sniffing attacks. Referrer-Policy controls what referral data is sent with outbound links. These headers are configured in your web server configuration or hosting panel and require no code changes to your site. Test your current headers at securityheaders.com — most business websites fail multiple checks.
Bottom line: Running through this checklist takes a few hours. A compromised business website — with the associated downtime, remediation cost, SEO damage, and customer trust impact — can cost weeks of recovery time and thousands of dollars. The investment is clearly justified.
IT Center manages web hosting security for businesses across Southern California. If you'd like an independent review of your current hosting environment against this checklist, we can identify your specific gaps and remediate them. See our managed web hosting and cybersecurity services for how we keep business websites secure ongoing.
Want a Security Audit of Your Business Website?
IT Center reviews your hosting environment against this checklist and provides a written report of gaps with specific remediation steps. We also offer managed hosting environments where these controls are maintained for you ongoing.
Request a Hosting Security ReviewOr call us directly: (888) 221-0098 | [email protected]