Display

Choose how you want to view this site. Your choices are saved on this device.

Text size
Page width
Theme

In-depth articles · Security & maintenance

Website security and maintenance for NZ small businesses: fewer incidents, faster recovery

Updated 2026-04-12 · In-depth article for NZ small businesses

Who this is for. NZ SMEs running a website that matters to revenue or reputation—especially WordPress and other CMS-driven sites—who want sensible habits without enterprise jargon.

Security is not a product you buy once. It is hygiene plus preparation: make incidents rare, and make recovery possible when something slips through.

1. The minimum viable security programme

  • Unique strong passwords + MFA for admin surfaces.
  • Least-privilege accounts for staff and agencies; revoke on exit.
  • Timely patching of CMS, plugins, themes, and PHP versions.
  • Reliable backups stored off-site; tested restores.
  • Monitoring for uptime and file changes where budget allows.

2. Backups: your real insurance policy

Automate daily backups for active sites; keep multiple restore points. Document how to restore in a crisis—on paper or a shared runbook—not only inside one person’s head.

3. When something looks compromised

Typical early signs: unexpected admin users, new PHP files, spammy redirects, sudden CPU spikes, or blacklisting warnings.

First steps:

  1. Take a forensic snapshot if you may need evidence.
  2. Take the site offline or into maintenance if data theft is suspected.
  3. Rotate credentials—assume some are exposed.
  4. Prefer clean restore from known-good backup over endless malware whack-a-mole when feasible.
  5. Notify stakeholders and—where required—customers and regulators per professional advice.

4. Updates without drama

Use staging for non-trivial stacks. Read changelogs. Update in a consistent order and verify forms, checkout, and search after.

5. Agency and contractor access

Use time-limited accounts; avoid shared “admin@” passwords. Record what was changed during engagements so handovers do not orphan credentials.

6. Security headers and TLS

HTTPS everywhere; consider sensible headers (CSP is powerful but test carefully). Misconfigured headers break integrations—roll out gradually.

7. Logging without drowning

Retain enough logs to trace an incident; not so much that nobody reads them. Alert on anomalies you will actually respond to.

8. Business continuity

Write a one-page runbook: registrar login, DNS host, hosting panel, backup location, support numbers, and who decides to restore vs rebuild.

9. Frequently asked questions

Will a security plugin fix everything?

It helps—firewall rules, scans—but does not replace patching, backups, and sensible hosting.

Should I hide my login URL?

Obscurity helps slightly; MFA and rate limiting help more. Do not rely on secrecy alone.

How often should we patch?

Monthly minimum for many SMEs; sooner when critical CVEs affect your stack.

Related shorter guides. Read the Security & maintenance topic for backups, incidents, credentials, headers, and patch cadence.