Website Security Basics Every NZ Small Business Should Know
A plain English guide to website security for NZ small businesses, covering HTTPS, passwords, updates, backups and the simple habits that keep your site safe.

Most small-business owners we talk to assume no one would bother attacking their website. "We're tiny," they say. "Who'd want to hack us?" It's a fair thought, but it misses how the online world actually works.
The truth is that most attacks aren't personal. They're not carried out by someone who's decided to target your café, your trades business or your online shop. They come from automated bots that crawl the internet all day, probing every website they can find. These bots don't care how small you are. They just knock on every door and see which ones open.
So the good news is you don't need to be a tech expert to protect yourself. You just need to cover the basics. Here's what that looks like in plain English.
Why small sites get targeted
It helps to picture how these attacks happen. Somewhere out there, a computer program is running through millions of web addresses, testing each one for known weaknesses. An outdated plugin. A weak password. A login page left wide open.
When the bot finds a gap, it slips in automatically. No human ever chose your business. You were simply one of thousands of sites tested that minute.
This is why "we're too small to bother with" doesn't hold up. To a bot, every site is worth a try, because breaking in is cheap and fast. A hacked small-business site can be used to send spam, host dodgy content, redirect your visitors elsewhere or quietly collect data. You're a useful target precisely because you might not be watching closely.
The basics that protect you
You don't need every fancy security tool on the market. A handful of solid habits will keep you ahead of most trouble.
HTTPS and the padlock
Look at your website address in the browser. If it starts with https and shows a small padlock, your site is using an SSL certificate. That means the connection between your visitors and your site is encrypted, so information sent through it (like a contact form or a payment) can't be easily read in transit.
If your site still shows "not secure", that's worth fixing straight away. Modern browsers warn visitors about insecure sites, and that warning alone can send people running. Most reputable hosts now include SSL for free, so there's rarely a good reason to go without it.
Strong passwords and two-factor authentication
Weak passwords are still one of the easiest ways in. A bot can guess "password123" or "admin" in seconds.
Use long, unique passwords for your website login, your host account and your email. A password manager makes this painless, so you don't have to remember them all. Then turn on two-factor authentication wherever you can. That's the extra step where you confirm a login with a code from your phone. Even if someone steals your password, they still can't get in without that second code.
Keeping software, plugins and themes updated
If your site runs on something like WordPress, it's built from lots of moving parts: the core software, your theme and various plugins. Each of these gets updates, and many of those updates exist to close security holes that have been discovered.
Running old versions is like leaving a known-broken lock on your front door. Bots specifically hunt for sites running outdated software, because they already know exactly how to get in. Keeping everything current is one of the single most effective things you can do.
Regular backups you can actually restore
Even with good habits, things can go wrong. That's why backups matter. If your site is ever hacked, broken by a bad update or lost entirely, a recent backup lets you roll back to a clean version instead of starting from scratch.
The key word is restore. A backup you've never tested isn't much comfort. Make sure backups run automatically, are stored somewhere separate from your site, and can genuinely be put back when you need them.
Limiting who has admin access
It's tempting to give everyone full access so no one gets stuck. But every admin login is another potential way in. If a staff member's password is weak or their computer is compromised, that becomes your problem too.
Give people only the access they actually need. A person who writes blog posts doesn't need the keys to the whole site. And when someone leaves the business or a contractor finishes a job, remove their access promptly.
Choosing a reputable host
Your web host is the foundation everything else sits on. A good host keeps their servers patched, offers SSL, provides backups and steps in quickly if something goes wrong.
The cheapest option isn't always a saving. If your host is slow to respond or cuts corners on security, you carry the risk. It's worth choosing a provider with a solid reputation and real support you can reach.
Protecting your forms from spam and abuse
Contact forms, booking forms and comment boxes are all doors into your site, and bots love them. Left unprotected, they fill up with spam or get used to send junk through your site.
Simple measures help a lot: a spam filter, a hidden honeypot field that traps bots, or a quiet check that a real person is filling in the form. These keep your inbox clean and stop your forms being misused.
Signs something might be wrong
Sometimes a site is compromised and the owner has no idea for weeks. Keep an eye out for these warning signs:
- Your site suddenly loads slowly or behaves oddly.
- Pages look different, defaced or full of content you didn't add.
- Visitors get sent to strange or unrelated websites.
- Browsers show a warning before your site loads.
- Google flags your site as unsafe or drops it from search results.
If you spot any of these, treat it seriously and get help sorting it quickly. The longer a problem sits, the more damage it can do.
What's actually at stake
It's easy to think of security as abstract until something breaks. In practice, the fallout is very real.
There's downtime, when your site goes offline and customers can't find or buy from you. There's lost trust, because a hacked or warning-flagged site makes people doubt you. There's the risk to customer data, which brings both practical and legal headaches. And there's your Google ranking: search engines actively de-list or demote sites they detect as hacked, so all that hard-won visibility can vanish.
If you want to keep search traffic healthy alongside your security, our guides on website speed and SEO and common SEO mistakes are worth a read too.
How ongoing maintenance keeps you safe
Here's the reassuring part. None of this needs to be a big scary project. Security isn't a one-off job you tick off and forget. It's a set of small, steady habits: updates applied, backups checked, logins kept tidy.
That's exactly what regular website maintenance is for. When someone's quietly keeping your site updated and watched each month, most of these risks are handled before they ever become a problem. We cover this in more detail in our article on website maintenance, and if you're wondering whether your current setup is still fit for purpose, have you outgrown your website is a good companion read.
We're here to help
Website security can feel overwhelming when you're already busy running a business. You don't have to figure it all out on your own.
At Automate Workflow, we help Wellington and NZ small businesses keep their sites secure, up to date and running smoothly, so you can get on with the work you're actually good at. If you'd like a hand reviewing your site or setting up ongoing care, take a look at our services or get in touch. We're always happy to talk it through in plain English.
Ready to get found on Google?
Automate Workflow helps New Zealand businesses turn their website into a steady source of new customers. Let's talk about where you could grow.
Get in touch