[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"service:\u002Fservices\u002Fsecurity\u002Fwebsite":3},{"id":4,"title":5,"body":6,"description":16,"draft":436,"extension":437,"kicker":438,"meta":439,"metaDescription":440,"navigation":441,"order":442,"path":443,"primaryKeyword":444,"seo":445,"stem":446,"summary":438,"type":447,"__hash__":448},"services\u002Fservices\u002Fsecurity\u002Fwebsite.md","Website security for UK small businesses",{"type":7,"value":8,"toc":405},"minimark",[9,13,17,34,39,42,58,61,65,68,74,80,86,89,93,96,101,104,107,113,117,120,123,128,132,135,138,143,147,155,160,164,167,172,176,179,200,204,211,243,247,250,257,264,271,278,282,289,297,301,304,307,311,314,318,321,324,328,331,338,342,346,349,353,356,360,363,367,370,374,377,381,384,387,390,397],[10,11,5],"h1",{"id":12},"website-security-for-uk-small-businesses",[14,15,16],"p",{},"Website security comes down to five things, done properly and kept up: a valid SSL certificate so data is encrypted, software patched within days not months, backups you can actually restore from, locked-down logins, and active monitoring for malware. True Noise runs all five for the sites we build and look after, as part of your monthly plan and not a separate invoice, so your site stays online, stays out of trouble, and meets the baseline UK law expects.",[14,18,19,27,28],{},[20,21,22],"strong",{},[23,24,26],"a",{"href":25},"#get-a-free-website-security-check","Get a free website security check"," · ",[20,29,30],{},[23,31,33],{"href":32},"\u002Fpricing","Start a project",[35,36,38],"h2",{"id":37},"who-this-is-for","Who this is for",[14,40,41],{},"This page is for you if any of this sounds familiar:",[43,44,45,49,52,55],"ul",{},[46,47,48],"li",{},"You've seen \"Not Secure\" in the browser bar next to your own site and you're not sure what it means or whether it's costing you customers.",[46,50,51],{},"Your site is built on something an old developer set up, and nobody's touched the updates in a long time.",[46,53,54],{},"You take payments or capture enquiries, and you've started wondering what actually happens if that data leaks.",[46,56,57],{},"You keep reading about businesses getting hacked and you'd just like to know, plainly, whether yours is safe.",[14,59,60],{},"We're a small UK business ourselves, running our own website under exactly the same rules. So we'll say this up front: you don't need to become a security expert. You need the handful of things that matter to be done properly and kept current, and ideally to be someone else's job.",[35,62,64],{"id":63},"whats-actually-at-stake","What's actually at stake",[14,66,67],{},"Website security isn't about worst-case scenarios. It's about three ordinary risks that affect real small businesses, and all three are manageable.",[14,69,70,73],{},[20,71,72],{},"The legal one."," If your site handles personal data — names, emails, card details, even contact-form submissions — UK GDPR (Article 32) requires you to have \"appropriate technical and organisational measures\" in place to protect it. If there's a notifiable breach, you have to tell the Information Commissioner's Office (the ICO, the UK's data regulator) within 72 hours. Things like missing encryption or unpatched software count against you if it comes to that. We cover this calmly in the legal section below: basic website security is also legal hygiene.",[14,75,76,79],{},[20,77,78],{},"The continuity one."," A hacked or knocked-over site is a closed shop. If your website is how people find you, book you, or buy from you, downtime is lost revenue you don't get back. According to the UK Government's Cyber Security Breaches Survey 2025, the average cost of the most disruptive breach in the past year was around £1,600 across all UK businesses (£3,550 if you exclude the incidents that cost nothing), and that's before you count the time and stress of putting things right.",[14,81,82,85],{},[20,83,84],{},"The trust one."," Browsers now label sites without a valid certificate as \"Not Secure\", and visitors notice. A compromised site can also be quietly turned into something that hosts malware or spam — in 2023 the security firm Sucuri found that 20.3% of the infected websites it cleaned were being used for SEO spam (across 39,594 cleaned sites). That's reputational damage you didn't choose and may not even know about.",[14,87,88],{},"None of this is meant to alarm you. It's the case for getting five straightforward things right.",[35,90,92],{"id":91},"what-we-cover-the-five-pillars","What we cover: the five pillars",[14,94,95],{},"There's no magic to keeping a website safe. It's five areas, done properly and kept up. Here's what each one is, why it matters, and what we do about it.",[97,98,100],"h3",{"id":99},"_1-ssltls-the-padlock-that-encrypts-your-data","1. SSL\u002FTLS — the padlock that encrypts your data",[14,102,103],{},"An SSL certificate is what puts the padlock in the browser bar and turns \"http\" into \"https\". In plain terms, it encrypts the data travelling between your visitor and your site, so logins, contact forms and payment details can't be read in transit. The technology behind it is now called TLS, and the National Cyber Security Centre (the NCSC, the UK's authority on this) is clear: web services should be served over HTTPS only, redirect any old HTTP traffic to the secure version, and use modern TLS (version 1.2 at a minimum, 1.3 preferred). The older versions are deprecated and shouldn't be used at all.",[14,105,106],{},"You need this even if you don't take payments. It protects every form and login on the site, browsers flag pages without it, and it's a prerequisite for a lot of modern web features.",[14,108,109,112],{},[20,110,111],{},"What we do:"," provision your certificate, set it to renew automatically so it never quietly lapses, force HTTPS everywhere, and configure TLS to current NCSC guidance.",[97,114,116],{"id":115},"_2-staying-patched-the-single-most-common-way-sites-get-compromised","2. Staying patched — the single most common way sites get compromised",[14,118,119],{},"Software that hasn't been updated is the most common way websites get broken into — usually through out-of-date plugins, themes or the platform itself. The scale is real: the WordPress security firm Patchstack recorded 7,966 new vulnerabilities across the WordPress ecosystem in 2024 (a 34% rise on the year before), and 96% of them were in plugins rather than the core software. Of those, 33% had no fix available at the moment they were made public, and 43% needed no login at all to exploit.",[14,121,122],{},"The fix is timely patching, and there's a clear benchmark for \"timely\". The NCSC's Cyber Essentials scheme requires in-scope software to be updated within 14 days of a vendor release where the issue is rated critical or high, or scores 7 or above on the standard severity scale — and from 27 April 2026 (Cyber Essentials v3.3), missing that window is an automatic fail. Yet according to the UK Government's Cyber Security Breaches Survey 2025, only 32% of UK businesses have a policy to apply updates within 14 days. Most sites are simply behind.",[14,124,125,127],{},[20,126,111],{}," keep your site's software on a deliberate, tested update routine inside the 14-day window for serious issues, applied and checked so fixes land promptly without breaking anything.",[97,129,131],{"id":130},"_3-backups-so-even-ransomware-cant-take-you-down","3. Backups — so even ransomware can't take you down",[14,133,134],{},"A backup is only useful if it's recent, off the live server, and you can actually restore from it. We follow the NCSC's well-established 3-2-1 rule (guidance last updated March 2025): keep at least three copies of your data, on two different devices or media, with one of them off-site. Crucially, at least one copy should be offline or disconnected — because ransomware is designed to encrypt whatever it can reach, including connected USB drives and synced cloud storage.",[14,136,137],{},"The benefit is simple: even if something locks your live site, your backup is untouched, and getting back online is a restore rather than a rebuild. Ransomware is still a minority threat — the UK Government's Cyber Security Breaches Survey 2025 estimates it affected around 1% of UK businesses (roughly 19,000), though that's up from under 0.5% the year before — but a tested backup is cheap insurance against the worst day.",[14,139,140,142],{},[20,141,111],{}," automated daily backups stored off-site to the 3-2-1 rule, with at least one offline copy, tested restores, and we handle the restore for you, so no technical knowledge is needed on your part.",[97,144,146],{"id":145},"_4-access-control-most-break-ins-are-an-unlocked-door","4. Access control — most break-ins are an unlocked door",[14,148,149,150,154],{},"The most common way in isn't a clever exploit; it's a weak or reused password on an admin account. Reassuringly, the NCSC's advice here makes life ",[151,152,153],"em",{},"easier",", not harder. It recommends against forced password complexity rules and routine scheduled password changes (both push people into predictable patterns). Instead: use multi-factor authentication (MFA — a second check beyond the password), use a password manager so every login is long, unique and remembered for you, keep separate standard and admin accounts, and always change default vendor passwords before anything goes live.",[14,156,157,159],{},[20,158,111],{}," turn on multi-factor authentication for your site's admin and hosting, set up least-privilege access so people only have what they need, and make sure no default or shared credentials are left lying around.",[97,161,163],{"id":162},"_5-malware-monitoring-and-hardening-catching-trouble-early","5. Malware monitoring and hardening — catching trouble early",[14,165,166],{},"Even a well-run site benefits from a watchful eye. Sucuri's 2023 analysis of compromised sites found that 39.1% were running outdated software at the point of infection and 49.21% had at least one backdoor left behind — which is why monitoring matters: the goal is to spot a problem early rather than discover it when a customer or Google does. For shops, the specific risk is card skimmers (small pieces of malicious code that steal payment details at checkout); in the first half of 2024 alone, Sucuri identified 156 distinct skimmer variants, with the most common one found on 2,242 sites.",[14,168,169,171],{},[20,170,111],{}," harden the site against common attacks, monitor for malware and unexpected changes, and act on anything that looks wrong, so issues are caught early rather than after the damage is done.",[35,173,175],{"id":174},"how-it-works","How it works",[14,177,178],{},"No long audits, no jargon, no scare tactics. Three steps.",[180,181,182,188,194],"ol",{},[46,183,184,187],{},[20,185,186],{},"Audit."," We run a free website security audit — your certificate and HTTPS setup, your security headers, and an outside look at obvious exposure. You get a plain-English summary of where you stand before you commit to anything.",[46,189,190,193],{},[20,191,192],{},"Fix and harden."," We put right what the audit finds: certificate and HTTPS, the patching backlog, backups, logins and access, and basic hardening. A clear scope, agreed with you first.",[46,195,196,199],{},[20,197,198],{},"Ongoing management."," Keeping a site safe isn't a one-off: software keeps changing. So patching, backups, certificate renewal and monitoring become part of your monthly plan, and stay our job, not yours.",[35,201,203],{"id":202},"what-this-protects-you-against","What this protects you against",[14,205,206,207,210],{},"Security is easier to trust when you can see what each part is ",[151,208,209],{},"for",". Here's how the five pillars map to the threats they actually counter.",[43,212,213,219,225,231,237],{},[46,214,215,218],{},[20,216,217],{},"Phishing that plants malware."," Phishing is the dominant threat by a distance — the UK Government's Cyber Security Breaches Survey 2025 found that 85% of UK businesses which suffered any breach identified phishing as the attack type, and 42% of small businesses experienced a phishing attempt in the year (down from 49% in 2024). Countered by access control (MFA stops a stolen password being enough) and malware monitoring.",[46,220,221,224],{},[20,222,223],{},"Plugin and software exploits."," The drive-by route in, via the out-of-date components above. Countered by 14-day patching and hardening.",[46,226,227,230],{},[20,228,229],{},"Credential stuffing."," Attackers trying leaked username-and-password pairs against your logins. Countered by MFA, unique passwords from a password manager, and least-privilege access.",[46,232,233,236],{},[20,234,235],{},"Ransomware."," Locking your data and demanding payment. Countered by 3-2-1 backups with an offline copy — the live site can be locked, the backup can't.",[46,238,239,242],{},[20,240,241],{},"Card skimmers (for shops)."," Malicious code that steals payment details at checkout. Countered by patching, hardening and malware monitoring.",[35,244,246],{"id":245},"where-the-law-sits-calmly","Where the law sits — calmly",[14,248,249],{},"This part worries people more than it needs to, so here it is plainly.",[14,251,252,253,256],{},"If your website handles personal data, ",[20,254,255],{},"UK GDPR Article 32"," asks you to have \"appropriate technical and organisational measures\" to keep it safe. There's no checklist of named products — but missing basics like encryption (no HTTPS) or unpatched software are the kind of thing that counts against you if there's ever a problem. The five pillars on this page are, in effect, those measures.",[14,258,259,260,263],{},"If a breach happens that's likely to put people's data at risk, you must report it to the ",[20,261,262],{},"ICO within 72 hours"," of becoming aware. The maximum standard-tier fine under UK GDPR is £17.5 million or 4% of global annual turnover, whichever is higher — that figure is the ceiling for the most serious breaches, not an automatic penalty, and it's there to show the regime has teeth, not to frighten you. The ICO's stated approach to smaller organisations is supportive first.",[14,265,266,267,270],{},"One more, briefly: if your site uses analytics or marketing cookies, ",[20,268,269],{},"PECR"," (the Privacy and Electronic Communications Regulations) applies separately to consent for those — worth knowing, and straightforward to get right.",[14,272,273,274,277],{},"The takeaway is simple: getting the technical basics right ",[151,275,276],{},"is"," how you meet the legal baseline. Do the security, and the compliance largely follows.",[35,279,281],{"id":280},"a-note-on-wordpress","A note on WordPress",[14,283,284,285,288],{},"If your site is on WordPress, you've probably been told either that it's perfectly safe or that it's a disaster waiting to happen. Neither is quite right. WordPress core is well maintained — the risk lives in the plugin and theme ecosystem and in installs that fall behind (recall that 96% of those 2024 vulnerabilities were in plugins). A WordPress site ",[151,286,287],{},"can"," be kept safe — but only with constant, hands-on maintenance: every plugin watched, every update tested, unused extensions removed, the admin properly locked down. That's real, ongoing work, and it's a burden a small-business owner shouldn't have to carry.",[14,290,291,292,296],{},"So we don't build, host or maintain WordPress. What we do is migrate clients off it onto a modern, secure stack that's safe by default — fewer moving parts to patch, less attack surface, and the maintenance handled for you. If you'd rather stop worrying about your site's plumbing than learn to maintain it, that's the conversation to have. (See ",[23,293,295],{"href":294},"\u002Fservices\u002Fpresence\u002Fmigrate-off-wordpress","migrating off WordPress",".)",[35,298,300],{"id":299},"cyber-essentials-if-you-want-the-badge","Cyber Essentials, if you want the badge",[14,302,303],{},"Cyber Essentials is the UK government's baseline security certification, backed by the NCSC. It checks five practical controls — secure configuration, user access control, malware protection, security update management, and firewalls — and certification starts at £320+VAT for the smallest organisations. There's a useful perk: UK organisations with annual turnover under £20 million that certify their whole organisation get cyber liability insurance included (arranged through IASME, the scheme's partner) at no extra cost.",[14,305,306],{},"It isn't compulsory for most businesses, but it's increasingly asked for in government and larger-company supply chains, and it's a credible, audited way to show customers you take this seriously. The work it asks for overlaps heavily with the five pillars above, so if certification is a goal, we can help you get the technical side ready.",[35,308,310],{"id":309},"how-we-hold-ourselves-to-the-same-standard","How we hold ourselves to the same standard",[14,312,313],{},"We think the people responsible for your site's security should be visibly serious about their own. So we run our own systems to a higher standard than most agencies hold their clients' to: secrets kept out of code, intrusion protection in front of our services, and automated security and quality checks on everything we ship. We mention it not as a feature list, but because we run a website under the same rules we'd apply to yours.",[35,315,317],{"id":316},"proof","Proof",[14,319,320],{},"Our position rests on the official UK evidence above: the Government's Cyber Security Breaches Survey, NCSC guidance, and independent security research, which is the same evidence we work from.",[14,322,323],{},"When we run your free website security check, you'll see exactly the kind of evidence we work from — your real certificate and HTTPS status and a look at your security headers — before you commit to anything.",[35,325,327],{"id":326},"how-this-fits-your-plan","How this fits your plan",[14,329,330],{},"Website security isn't a separate product with its own price tag. For sites we build or look after, the ongoing work — patching, backups, certificate renewal and monitoring — is part of your monthly plan, so the cost is predictable and there's nothing extra to chase. Fixing up an existing site, or migrating off an ageing one, is scoped as project work first; once it's with us, keeping it safe is included.",[14,332,333,334,337],{},"See the ",[23,335,336],{"href":32},"pricing page"," for what the monthly plan covers, or just ask us about security when you request a quote.",[35,339,341],{"id":340},"frequently-asked-questions","Frequently asked questions",[97,343,345],{"id":344},"does-my-website-actually-need-an-ssl-certificate-if-it-doesnt-take-payments","Does my website actually need an SSL certificate if it doesn't take payments?",[14,347,348],{},"Yes. An SSL certificate (HTTPS) encrypts all the data moving between your visitors and your site — logins, contact-form entries, cookies — not just payments. Browsers now flag pages without it as \"Not Secure\", the NCSC expects HTTPS on all web services, and it's a prerequisite for many modern web features. It's a baseline, not an upgrade, and we provision and auto-renew it so it never lapses.",[97,350,352],{"id":351},"how-often-should-i-back-up-my-website","How often should I back up my website?",[14,354,355],{},"Follow the NCSC's 3-2-1 rule: at least three copies, on two different devices or media, with one off-site. For most small businesses, automated daily backups plus a weekly full backup is a sensible baseline — and at least one copy should be kept offline or disconnected, because ransomware encrypts the backups it can reach. The other half people forget: test that you can actually restore from them. We handle all of this for sites we look after.",[97,357,359],{"id":358},"my-website-is-built-on-wordpress-is-it-secure","My website is built on WordPress. Is it secure?",[14,361,362],{},"It can be, but it takes ongoing work. WordPress core is well maintained; the risk is in the plugin and theme ecosystem — Patchstack found 7,966 new ecosystem vulnerabilities in 2024, 96% of them in plugins. A WordPress site stays safe only if it's kept current, unused plugins are removed, and the admin is protected with multi-factor authentication. We don't build, host or maintain WordPress ourselves — we migrate clients onto a modern, secure stack so that maintenance burden isn't yours to carry.",[97,364,366],{"id":365},"what-happens-if-my-website-gets-hacked-and-customer-data-is-exposed","What happens if my website gets hacked and customer data is exposed?",[14,368,369],{},"Under UK GDPR Article 32 you're expected to have appropriate measures in place to protect personal data. If a breach is likely to put people's data at risk, you must report it to the ICO within 72 hours of becoming aware. The maximum standard-tier fine is £17.5 million or 4% of global turnover, but that's the ceiling for the most serious cases, not a default. Inadequate basics — no HTTPS, unpatched software — count against you. The practical defence is exactly the five pillars on this page, plus a clean, recent backup so you can get back online quickly.",[97,371,373],{"id":372},"what-is-cyber-essentials-and-do-i-need-it","What is Cyber Essentials and do I need it?",[14,375,376],{},"It's the UK government's baseline security certification, backed by the NCSC, testing five core controls. It starts at £320+VAT for the smallest organisations, and UK businesses with turnover under £20 million that certify their whole organisation get cyber liability insurance included (via IASME). It isn't mandatory for most businesses, but it's increasingly required to win government or larger-company contracts and is a credible signal to customers otherwise. The technical work overlaps with what we'd do anyway, so we can help you get ready for it.",[97,378,380],{"id":379},"is-changing-my-password-regularly-really-necessary","Is changing my password regularly really necessary?",[14,382,383],{},"No — and the NCSC actively advises against routine scheduled changes, because they push people towards weaker, predictable passwords. The better approach is a password manager so every login is long and unique, multi-factor authentication switched on, no reusing passwords across services, and only changing a password if there's evidence it's been compromised. It's less hassle and genuinely safer.",[35,385,26],{"id":386},"get-a-free-website-security-check",[14,388,389],{},"We'll run a free, no-obligation website security check: your SSL certificate and HTTPS setup, your security headers, and a quick look at obvious exposure — so you can see plainly where your site stands. No commitment, no jargon, just a clear picture of how safe your site actually is and what (if anything) is worth fixing.",[14,391,392],{},[20,393,394],{},[23,395,26],{"href":396},"\u002Fcontact",[14,398,399,400,404],{},"Ready to go further? ",[20,401,402],{},[23,403,33],{"href":32}," and we'll scope the fixes — or the move to a modern, secure build — with the ongoing security handled from day one.",{"title":406,"searchDepth":407,"depth":407,"links":408},"",2,[409,410,411,419,420,421,422,423,424,425,426,427,435],{"id":37,"depth":407,"text":38},{"id":63,"depth":407,"text":64},{"id":91,"depth":407,"text":92,"children":412},[413,415,416,417,418],{"id":99,"depth":414,"text":100},3,{"id":115,"depth":414,"text":116},{"id":130,"depth":414,"text":131},{"id":145,"depth":414,"text":146},{"id":162,"depth":414,"text":163},{"id":174,"depth":407,"text":175},{"id":202,"depth":407,"text":203},{"id":245,"depth":407,"text":246},{"id":280,"depth":407,"text":281},{"id":299,"depth":407,"text":300},{"id":309,"depth":407,"text":310},{"id":316,"depth":407,"text":317},{"id":326,"depth":407,"text":327},{"id":340,"depth":407,"text":341,"children":428},[429,430,431,432,433,434],{"id":344,"depth":414,"text":345},{"id":351,"depth":414,"text":352},{"id":358,"depth":414,"text":359},{"id":365,"depth":414,"text":366},{"id":372,"depth":414,"text":373},{"id":379,"depth":414,"text":380},{"id":386,"depth":407,"text":26},false,"md",null,{},"Website security for UK small businesses, done properly: SSL, 14-day patching, 3-2-1 backups, locked-down logins, malware monitoring. Free website security check.",true,99,"\u002Fservices\u002Fsecurity\u002Fwebsite","website security audit",{"title":5,"description":16},"services\u002Fsecurity\u002Fwebsite","service","buZFgCJADPJaWJNCUwgwJSG4pOg-EknUFF5AhCLGscE"]