Small business websites are consistently under-secured. Not because owners don’t care, most of them do, but because security is rarely part of the original build brief and rarely comes up again once the site is live.

Over the past year, we reviewed ten small and medium-sized business websites for security vulnerabilities, a mix of Nigerian and UK clients covering corporate marketing sites and WooCommerce stores. Here’s what we found.

The most common vulnerabilities

01. Default admin username still in use

Seven of ten sites still had a WordPress admin account with the username ‘admin’. This is the first combination any automated brute-force attack tries. Changing the username takes two minutes and removes an entire category of attack.

02. No login attempt limits

None of the sites had any restriction on failed login attempts. An attacker can run thousands of password combinations against wp-admin indefinitely, with no consequence. A rate-limiting plugin or a server-level rule closes this gap immediately.

03. Outdated plugins with known CVEs

Eight of ten sites had at least one plugin that hadn’t been updated in over six months. Four of those had plugins with publicly disclosed CVEs, meaning Common Vulnerabilities and Exposures: known, documented and actively exploited in the wild.

This is not theoretical. Automated scanners look for outdated WordPress plugins at scale, every day. If your plugin is on a known list, your site will eventually be found.

04. No SSL on subdomains or staging

The main domain had HTTPS on all ten sites. Staging environments, admin panels and API endpoints often didn’t. Credentials sent over unencrypted connections are trivially interceptable on shared networks.

05. User enumeration exposed

WordPress exposes post author usernames by default, through author archive URLs and the REST API. An attacker who can list usernames has done half the credential-guessing work before attempting a single login.

Security isn’t about making your site impenetrable. It’s about making it more expensive to attack than the next one. Most attackers are opportunistic and move on when they hit resistance.

06. wp-config.php not hardened

The wp-config.php file contains database credentials, security keys and environment settings. On five of ten sites it sat in the web root with default permissions and no additional access controls. Moving it above the web root or restricting access through server configuration takes five minutes.

07. No Web Application Firewall

A WAF filters malicious traffic before it reaches your application. Zero of the ten sites had one configured. Cloudflare’s free tier provides a basic WAF alongside CDN and DDoS protection. There’s no cost argument against it.

The fixes that take under an hour

  1. Change the admin username and enforce a strong password policy
  2. Install and configure a login attempt limiting plugin
  3. Enable auto-updates for plugins, themes and WordPress core
  4. Enable Cloudflare free tier for WAF, CDN and DDoS protection
  5. Disable author enumeration via functions.php or a security plugin
  6. Move wp-config.php above the web root
  7. Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy

What ongoing security actually looks like

A one-time hardening audit is a starting point, not a security posture. For a small business, sustainable security looks like this:

None of this needs a dedicated security team. It needs a process and someone responsible for following it.

Want GressTech to review your site, stack or security posture?

Start a project at gresstechsolutions.com or write to info@gresstechsolutions.com