Free Template · Security · 24 points

Small Business Website Security Checklist

A 24-point security checklist covering access control, updates, backups, monitoring, DNS/email hardening, and incident response. Written for non-technical small business owners — no jargon, just specific actions.

24 checkpoints ~60 min first pass Updated 2026-07-08

Access Control

  • Audit all admin accounts List every user with admin access. Remove anyone who no longer needs it (former employees, contractors, old agencies). Fewer admins = fewer attack vectors.
  • Use strong, unique passwords Every admin account needs a password of 16+ characters that is not used anywhere else. Use a password manager (Bitwarden, 1Password, KeePass). Never reuse passwords.
  • Enable two-factor authentication Add 2FA to every admin login. An authenticator app (Google Authenticator, Authy) is better than SMS. A hardware key (YubiKey) is better than an app.
  • Change the default admin username Never use "admin" as a username. If your CMS installed with "admin," create a new admin account with a unique name and delete the old one.

Updates

  • Update CMS core Install the latest version of your CMS (WordPress, Drupal, etc.). Core updates often include critical security patches. Check monthly.
  • Update all plugins and themes Outdated plugins are the #1 way small business sites get hacked. Update everything monthly. Remove plugins you no longer use — inactive plugins still have vulnerabilities.
  • Check PHP version Run a supported PHP version (8.1+). PHP 7.4 and earlier are end-of-life with no security patches. Most hosts let you upgrade in cPanel or the hosting dashboard.
  • Remove unused themes and plugins Every installed plugin or theme is a potential attack surface, even if inactive. Delete anything you are not actively using. Keep one default theme as a fallback.

Unlock the full 24-point checklist

Enter your email to see the remaining 16 checkpoints (backups, monitoring, DNS/email hardening, and incident response). No spam — just the checklist and occasional Seth Brand Tech Care updates.

We respect your inbox. Typical reply within 2 business days. Prefer email? [email protected].

FAQ

Do I need to be technical to use this checklist?

No. Each item is written in plain language with specific actions. A few items involve DNS records or server configuration — those note when to ask your developer or hosting provider for help.

How often should I run through this checklist?

Run the full checklist quarterly. Items like updates and backup verification should be checked monthly. Items like password audits can be done every 6 months. The checklist notes recommended frequency for each category.

What if my site is already hacked?

Stop and contact a professional immediately. Do not try to fix it yourself — you may destroy evidence needed to understand how the attacker got in. Seth Brand Tech Care offers emergency security cleanup at a flat rate. Email [email protected] with "hacked" in the subject line.

Is this checklist really free?

Yes. Enter your email to unlock the full 24-point checklist. No payment, no credit card, no sales call. Your email is used to send you the checklist and occasional Seth Brand Tech Care updates. Unsubscribe anytime.

Want a professional security review?

The $99 Tech Care Audit includes a security review of your website, hosting, DNS, and email configuration. Seth checks every item on this checklist for you and sends a written report with specific fixes. No calls — everything by email.

Start the Tech Care Audit