South Africa is one of the most targeted countries for cybercrime in Africa. According to Kaspersky's 2025 report, SA recorded over 230 million cyberattack attempts in a single quarter. Small businesses are disproportionately targeted because hackers know they typically have fewer defences than large corporations — but still hold valuable data and often process payments.
Most attacks are not manual — they are automated. Bots continuously crawl the internet looking for websites with known vulnerabilities. If your site has one, it will be found and exploited, often without you even knowing until it's too late.
Here are the 5 security mistakes we see on South African business websites repeatedly — and exactly how to fix each one.
Why SA Small Businesses Are Targeted
Small businesses are attractive targets because:
- They hold customer data (names, email addresses, phone numbers, payment info) that can be sold or used for further attacks
- They often use outdated software with known vulnerabilities
- They rarely have dedicated IT security staff
- Compromised websites can be used to send spam, host malware, or perform attacks on other systems
- Ransomware attacks on businesses that can't afford to lose their data — but also can't afford professional recovery — are extremely profitable for attackers
Under POPIA (Protection of Personal Information Act), South African businesses are also legally required to protect customer data. A breach can result in regulatory fines of up to R10 million and reputational damage that is difficult to recover from.
Mistake 1: No SSL Certificate (Not Using HTTPS)
If your website address starts with http:// instead of https://, your website is not encrypted. This means any data sent between your visitor's browser and your server — including contact form submissions, login credentials, and payment details — is transmitted in plain text and can be intercepted.
The Consequences
- Browsers like Chrome display a "Not Secure" warning in the address bar — this drives away visitors immediately
- Google uses HTTPS as a ranking signal — HTTP sites are penalised in search results
- Customer data submitted through your forms is vulnerable to interception
- You are almost certainly violating POPIA requirements for data protection
The Fix
SSL certificates are now free. Let's Encrypt provides free SSL certificates that most hosting providers install automatically. Contact your host and ask them to install a free Let's Encrypt SSL certificate. This should take less than 5 minutes and cost nothing.
After installation, ensure all traffic is redirected from HTTP to HTTPS with a 301 redirect. Check with SSL Labs (free) to confirm your certificate is properly installed.
Mistake 2: Outdated Software and Plugins
If you use WordPress (which powers approximately 43% of all websites globally), every plugin and theme you install is a potential security vulnerability. Security researchers and hackers alike continuously discover flaws in popular plugins. Plugin developers release patches — but only sites that update promptly are protected.
The Scale of the Problem
The Wordfence security team reports that over 90% of WordPress hacks occur through known, already-patched vulnerabilities. In other words, most hacked sites were running software that had an available security update — the owner just hadn't applied it.
The Fix
- Enable automatic updates for WordPress core, plugins, and themes where possible
- Check for and apply updates at least once per week if automatic updates are off
- Delete plugins you don't use — inactive plugins are still a security risk if they have vulnerabilities
- Only install plugins from reputable sources with recent update histories and large install counts
- Remove nulled (pirated) themes and plugins immediately — they frequently contain backdoors
Important: Before updating WordPress core or plugins on a live site, always create a backup first. Updates occasionally break functionality, and you need to be able to roll back if something goes wrong.
Mistake 3: Weak Passwords and No Two-Factor Authentication
Brute force attacks — where automated tools try thousands of username/password combinations per second — are one of the most common attack methods against WordPress sites. The default WordPress admin URL (/wp-admin) is known to every attacker.
The Fix
- Use strong, unique passwords: A strong password is at least 16 characters, includes uppercase, lowercase, numbers, and symbols. Use a password manager (Bitwarden is free and excellent) to generate and store these.
- Change the default admin username: Never use "admin" as your WordPress username — it's the first thing brute force tools try.
- Enable Two-Factor Authentication (2FA): Install a plugin like WP 2FA (free) to require a time-based code from your phone when logging in. This makes brute force attacks virtually impossible.
- Limit login attempts: Use a plugin to block IP addresses after 3–5 failed login attempts.
- Change the login URL: Use a plugin to change
/wp-adminto a custom path like/my-login-2026. This eliminates the majority of automated attacks which target the default URL.
Mistake 4: No Website Backups
Backups are not a security measure against being hacked — they are a recovery measure. When (not if) something goes wrong — whether from a hack, a failed update, or accidental deletion — a recent backup is the difference between a 30-minute recovery and a complete rebuild.
What Many SA Business Owners Assume
Many business owners assume their hosting provider keeps backups. Some do, some don't, and those that do often keep only 7 days of backups at extra cost. Do not rely solely on your host's backups.
The Fix
- Automated daily backups: Use a plugin like UpdraftPlus (free tier available) to automatically back up your WordPress database and files daily.
- Offsite storage: Store backups in a separate location — Google Drive, Dropbox, or Amazon S3. Do not store backups only on the same server as your website.
- Test your backups: A backup you've never tested may not restore correctly. Test a restoration at least once every 3 months.
- Keep 30 days of backups: Some hacks are not discovered immediately. You may need to restore a backup from 2 weeks ago to get a clean version.
Mistake 5: No Web Application Firewall (WAF)
A Web Application Firewall sits between your website and incoming traffic, inspecting requests and blocking malicious ones before they reach your site. It protects against SQL injection, cross-site scripting (XSS), brute force attacks, malware uploads, and dozens of other attack types.
The Fix
- Cloudflare (free tier): Cloudflare's free plan includes a basic WAF and DDoS protection. Setting up Cloudflare on your domain takes 15–20 minutes and is completely free. It is the easiest and most effective single security improvement for most SA business sites.
- Wordfence (WordPress): The free version of Wordfence includes a firewall, malware scanner, and real-time threat intelligence. Install and configure it on every WordPress site you manage.
- Sucuri (all sites): Sucuri's free scanner can check if your site is blacklisted or infected. Their paid WAF service is recommended for e-commerce sites handling payment data.
Signs Your Website Has Already Been Hacked
Because most attacks are silent, many sites are compromised for weeks before the owner notices. Watch for:
- Google Search Console shows security warnings or manual actions
- Your website is redirecting visitors to spam or adult sites
- New admin user accounts you didn't create
- Google search results for your site show strange content you didn't write
- Your hosting provider has suspended your account for sending spam or hosting malware
- Antivirus software flags your website when you visit it
- Sudden dramatic drop in organic search traffic
If you suspect your site has been compromised, contact your host immediately, change all passwords, and consider hiring a professional to clean the site.
Check Your Security Right Now
Use these free tools to audit your website's security today:
- Sucuri SiteCheck: Scans for malware, blacklisting, and basic security issues
- SSL Labs: Tests your HTTPS certificate configuration
- Google Search Console: Google alerts you here if it detects security issues on your site
- Have I Been Pwned: Check if your email address has been found in known data breaches
At Smart Web Design, every website we build is secured from day one — SSL, security headers, WAF, and hardened WordPress configuration included as standard. If you're concerned about your current site's security, contact us for a free security assessment.