← Back
Security5 min read

Is Your Website Secure?

Most small business websites are missing protections that take minutes to add and could save you from a serious headache. Here is what to look for.

Security sits at the foundation of everything built at Flow-Through. Every website ships with industry-standard security headers, encrypted connections, server-side form validation, rate limiting, and spam protection as standard. These are the baseline. Any site built to a lower standard has cut corners.

If someone told you your shopfront had a broken lock, you would fix it today. Your website works the same way, except the door is open to the entire internet, and most business owners have no idea whether theirs is locked.

These are the basics every website should have. Most are missing them, and your customers notice more than you think.

43% of cyber attacks target small businesses. Of those, 60% go out of business within six months of an attack.
— Australian Cyber Security Centre, Small Business Survey 2024

SSL: The Padlock in Your Browser

SSL (Secure Sockets Layer) encrypts everything that travels between your visitor's browser and your website. When it is active, all data in transit is protected. When it is missing, anyone on the same network (a coffee shop, an airport, a shared office) can read every form submission, every password, every message your customers send.

You can check this yourself. Look at your website URL in the browser. If it starts with https:// and shows a padlock icon, SSL is active. If it says http:// with no padlock, or worse, a “Not Secure” warning. Your visitors can see it too.

Google actively penalises sites without SSL. Since 2018, Chrome marks all HTTP sites as “Not Secure.” This directly impacts your search rankings and your visitors' trust.

The good news: SSL certificates are free through services like Let's Encrypt and Cloudflare. Every website should have one, and in 2026 there is zero excuse to go live with an unencrypted connection.

Security Headers: The Invisible Shield

Every time someone visits your website, your server sends back a set of instructions called “headers.” Most websites only send the basics: here is the page, here is the content type. But there is a set of security headers that tell the browser how to protect your visitors, and the majority of small business websites are missing all of them.

Here is what a properly secured site sends versus what most do not:

Security Header Audit
Strict-Transport-SecurityProtected
max-age=63072000; includeSubDomains; preload

Forces the browser to always use HTTPS, even if someone types http://. Prevents downgrade attacks and cookie hijacking. The max-age value tells browsers to remember this rule for two years.

Content-Security-PolicyProtected
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

Controls exactly what resources the browser is allowed to load. Prevents cross-site scripting (XSS) attacks by blocking malicious scripts injected into your page. This is the single most impactful security header.

X-Frame-OptionsProtected
DENY

Prevents your website from being embedded inside an iframe on another site. Stops clickjacking attacks where a malicious site overlays invisible buttons on top of your page.

X-Content-Type-OptionsProtected
nosniff

Stops the browser from guessing what type of file it is receiving. Without this, an attacker can trick the browser into executing a disguised file as JavaScript.

Referrer-PolicyProtected
strict-origin-when-cross-origin

Controls how much information about your site is sent when a visitor clicks a link to another site. Prevents leaking sensitive URL paths to third parties.

Permissions-PolicyProtected
camera=(), microphone=(), geolocation=()

Explicitly disables browser features your site does not need. Prevents any injected script from accessing your visitor's camera, microphone, or location.

Now here is what the same audit looks like on a typical small business website built with a template or page builder:

Typical Small Business Site
Strict-Transport-SecurityMissing

Not configured. The site can be accessed over plain HTTP, exposing all traffic to interception.

Content-Security-PolicyMissing

Not configured. The site has no protection against cross-site scripting attacks. Any injected script runs with full access.

X-Frame-OptionsMissing

Not configured. The site can be embedded in malicious iframes for clickjacking.

X-Content-Type-OptionsMissing

Not configured. MIME-type sniffing attacks are possible.

Referrer-PolicyPartial

Using browser default. Some URL data may leak to third-party sites through referrer headers.

Permissions-PolicyMissing

Not configured. Browser APIs like camera and microphone are not explicitly restricted.

You can check your own site's security headers for free at securityheaders.com. Enter your URL and it will grade your headers from A+ to F. Most small business sites score a D or below.

Contact Forms: The Front Door for Attackers

If your website has a contact form, it is the most common entry point for abuse. A form with proper protection handles all of this gracefully. One built carelessly can be used to:

  • Flood your inbox with thousands of spam submissions
  • Inject malicious code into your database (SQL injection)
  • Send phishing emails through your domain (email injection)
  • Overload your server with automated requests (DDoS)

A properly built form should have:

What good form protection looks like
// Rate limiting — max 5 submissions per 15 minutes per IP
if (submissions[ip] > 5) return "Too many attempts"

// Honeypot field — hidden from humans, visible to bots
if (form.hiddenField !== "") return silentReject()

// Input sanitisation — strip dangerous characters
const clean = input.trim().slice(0, 1000)

// Email validation — reject malformed addresses
if (!isValidEmail(email)) return "Invalid email"

// Server-side validation — never trust the browser
// Client-side checks are for UX, server-side is for security

Most template-based websites skip all of this. The form sends directly to an email address, wide open. It works fine until someone decides to test it.

HTTPS Redirects: Locking Both Doors

An SSL certificate is a great start. But if your site is still accessible at both http://yourbusiness.com and https://yourbusiness.com, the HTTP version remains exposed. A proper setup forces every request through HTTPS automatically.

Server redirect rule
# Redirect all HTTP traffic to HTTPS
if (request.protocol === "http") {
  redirect → https://yourbusiness.com + request.path
  status: 301 (permanent)
}

This takes seconds to configure. Combined with the HSTS header mentioned above, it ensures your visitors are always on the encrypted version, even if they type the URL without https.

Third-Party Code: The Risk You Inherit

Every WordPress plugin, every JavaScript library, every analytics script you add to your site is code written by someone else. If that code has a vulnerability, your site inherits it.

Over 90% of WordPress security breaches come from plugins, not WordPress itself. The average WordPress site runs 20-30 plugins, each one a potential entry point.
— Sucuri Website Threat Research Report 2024

This is one of the strongest arguments for hand-coded websites over template builders. A custom-built site runs only the code it needs. Every dependency is deliberate, every library is maintained, and you can account for every line that runs on your server.

Every Flow-Through build follows this principle. You get a clear picture of exactly what code is running and why it is there.

Data Handling: What Happens After They Hit Submit

When a customer fills in your contact form, where does that data go? On a properly built site, the answer is clear: encrypted in transit, validated on the server, stored securely, accessible only to you.

On many small business sites, the picture looks different. Form data travelling over plain HTTP. Submissions sitting in an unencrypted database. Customer email addresses visible in URL parameters. Admin panels accessible at /wp-admin with default credentials still in place.

With the Australian Privacy Act removing the small business exemption from July 2026, how you handle customer data is a legal requirement. Penalties for mishandling personal information can reach $2.5 million for individuals and $50 million for companies.

From 1 July 2026, the $3 million turnover exemption for the Privacy Act is being removed. Small businesses will need to comply with the Australian Privacy Principles, including how they collect, store, and handle customer data through their websites.

The Essential Eight and Australian Compliance

The Australian Cyber Security Centre (ACSC) publishes a framework called the Essential Eight: eight mitigation strategies that form the baseline for cyber security in Australia. While the full framework targets enterprise IT environments, several of its principles apply directly to how your website is built and maintained.

Essential Eight Principles Relevant to Websites

Patch Applications

Keep all software, frameworks, and dependencies up to date. Unpatched WordPress plugins are the single most common entry point for website breaches.

Application Control

Only approved code should run on your site. Content Security Policy headers enforce this at the browser level, blocking any scripts that were not explicitly allowed.

Restrict Administrative Privileges

Admin access to your website should be tightly controlled. Unique passwords per user, login pages behind access restrictions, and default credentials changed on day one.

Multi-Factor Authentication

Any admin or CMS login should require a second factor. A password plus a verification code is the minimum for any system that controls your public-facing website.

Regular Backups

Daily backups of your website and its data, stored separately from the live server. If something goes wrong, you can restore to a known good state within minutes.

Beyond the Essential Eight, Australian businesses also need to consider the Privacy Act 1988 (and its upcoming small business reforms), the Notifiable Data Breaches scheme, and industry-specific regulations depending on your sector.

For most small business websites, the practical takeaway is straightforward: encrypt everything in transit, validate and sanitise all inputs, keep your software updated, restrict who can access the backend, and back it up daily. If your current website ticks all of those boxes, you are in good shape. And if there are gaps, the distance between where you are and where you should be is smaller than you might expect.

The full Essential Eight framework is published by the ACSC at cyber.gov.au. It is the Australian Government's recommended baseline for cyber security across all organisations.

The Checklist: Is Your Site Protected?

Here is a quick audit you can run on your own website right now. If you are missing more than two of these, your site has gaps that are worth addressing.

Website Security Checklist
SSL certificate active (padlock icon, https:// in URL)
HTTP automatically redirects to HTTPS
Security headers configured (check at securityheaders.com)
Contact form has rate limiting and spam protection
No sensitive data in URL parameters
Admin panels are protected or non-existent
All plugins and dependencies are up to date
HTTPS enforced on all subdomains
Privacy policy reflects actual data handling practices
Form submissions are validated server-side, not just in the browser

Where to From Here

Every protection listed on this page can be implemented in a day. The real barrier is awareness. Most business owners have never been told what to ask for, and most budget developers only include what you specifically request.

Every Flow-Through build ships with all of this as standard. Security headers, SSL, form protection, server-side validation, clean dependencies, HTTPS enforcement. All included, every time.

Curious where your current site stands? Run it through securityheaders.com and see what comes back. If you want to talk about what it means, get in touch.

References

  • Australian Cyber Security Centre — Small Business Cyber Security Survey (2024)
  • OWASP Foundation — Top 10 Web Application Security Risks (2021)
  • Sucuri — Website Threat Research Report (2024)
  • Mozilla Developer Network — HTTP Security Headers Documentation
  • Google Chromium Blog — A Secure Web is Here to Stay (2018)
  • Australian Cyber Security Centre — Essential Eight Maturity Model (2023)
  • Australian Government — Notifiable Data Breaches Scheme, Privacy Act 1988
  • Office of the Australian Information Commissioner — Privacy Act Reform (2025)