The Myth of “Too Small to Matter”
The most common thing I hear from small business owners after a breach is some version of: “Why us? We don’t have anything worth stealing.”
That sentence has a hidden assumption, and it’s that attackers chose them. They didn’t though…nobody Googled the business name, nobody read the About page and decided this was the day, nothing like that. A scanner found a vulnerable plugin, exploited it, and moved on to the next site in the queue. The whole encounter took seconds and was entirely impersonal.
That’s the part most small business owners get wrong. Modern web attacks aren’t aimed, they’re swept. If your site is online and running outdated software, you’re not a target insofar as you’re really just more of a result.
A security checkup shows you what those scanners can already see from the outside: outdated core or plugins, exposed admin pages, weak authentication, missing headers…the things attackers will sort your site into a queue by.
Your Site Is Valuable — Just Not in the Way You Think
Here’s what gets missed when owners say “we have nothing worth stealing.” Attackers don’t want your customer list or your blog drafts but rather the resources your server gives them… bandwidth, IP reputation, CPU, and a domain that hasn’t been blacklisted yet.
These are the patterns I see most often in incident response:
$ incident-response --show-attacker-value --small-business-site
Hosting phishing pages that impersonate banks, shipping companies, or login portals. A compromised small business site is perfect for this: it has a real, aged domain with no security history flagging it, and the owner usually doesn't check the file system. I've found Microsoft 365 login clones sitting in /wp-content/uploads/ for weeks before the owner noticed anything was wrong.
Sending spam or fraud email from your domain. Once your domain lands on Spamhaus or shows up in spam-trap reports, even your legitimate invoices start hitting junk folders. I've cleaned up after this on client sites and the email side of the recovery takes longer than the site cleanup...sometimes weeks to rebuild reputation.
Cryptocurrency mining quietly burning your hosting CPU until your bill spikes or your host suspends the account.
Redirecting your visitors to scam stores, fake software updates, or malware downloads. SocGholish and similar fake-update campaigns rely on a steady supply of compromised real sites to look legitimate. Your site's traffic becomes their conversion funnel.
Card-skimming injections on any site that takes payments. The Magecart family of attacks specifically hunts small e-commerce sites with outdated themes or pirated plugins; I responded to one where a single pirated theme had been quietly injecting a card skimmer for months.
Even without a full compromise, your forms have value. Modern contact-form spam uses AI-generated messages and human-solver networks to bypass basic captchas, wasting staff time and polluting lead pipelines. And some compromises don’t even require a breach; a forgotten hosting account whose domain still points at it can start serving scareware to anyone who visits.
The first sign of any of this is rarely a message from the attacker (they don’t want you to know they’re in); usually you’ll find find out from a confused customer asking about an email you didn’t send, a Google Search Console warning, or a hosting suspension email at 2 a.m. If the site is WordPress, the WordPress malware guide explains what likely happened before that first warning appeared.
The Real Cost Isn’t the Cleanup
The cleanup is the cheap part. What’s expensive is the fallout that lasts after the site is restored:
-
Search visibility. Google flags compromised sites with the “This site may harm your computer” interstitial, and reviews can take days. During that time, organic traffic effectively goes to zero and rankings often take weeks to recover even after the warning clears.
-
Email deliverability. Once your domain is on Spamhaus, SORBS, or similar blocklists, getting off takes time and documentation. Meanwhile your invoices, quotes, and customer replies are landing in spam folders, and you usually don’t find out until a customer calls to ask where the estimate went.
-
Customer trust. One phishing email forwarded to a long-time client with your domain in the From address is the kind of thing that ends a working relationship. Trust is much slower to rebuild than software.
The IBM Cost of a Data Breach report puts the global average breach cost at $4.44 million (to be clear, that figure is dominated by large enterprises with regulated data, so it’s not the number a small business should plan around). The honest framing is simpler: the cost of recovering from a small-business website compromise is consistently many times the cost of preventing one.
Why small businesses get hit hardest
Simply put, it’s because the math favors them:
| Large businesses | Small businesses |
|---|---|
| Dedicated security staff and monitoring | Owner-managed, often with a designer or generalist contractor |
| Patch cycles measured in days | Plugin updates whenever someone remembers |
| 24/7 detection with defined incident response | First sign of trouble is usually a customer complaint |
| Cyber insurance and a recovery plan | Whatever the host's backup retention happens to be |
It’s faster and cheaper for a botnet to compromise a thousand small sites than to attack one well-defended large one. Each compromised small site becomes part of the infrastructure that scans for the next thousand.
The deeper problem is that small business owners often don’t notice the breach for weeks. By then the site has been used to send phishing, host malware, or skim card data, and the cleanup involves the host, the registrar, Google Search Console, deliverability blocklists, and sometimes the payment processor.
Prevention is the cheap part
A small business website doesn’t need enterprise-grade security. It just needs the basics done consistently:
-
Timely updates and hardening — patching on a real schedule, removing unused plugins and themes, and closing off the most common attack paths before scanners find them.
-
Off-site backups that have actually been tested. A backup you’ve never restored from is a hope, not a recovery plan.
-
Real monitoring that catches file changes, new admin accounts, and unusual traffic patterns within minutes — not when a customer mentions something seems off.
None of this is glamorous and all of it works. The sites I’ve taken over from previous owners or developers that don’t get compromised are the ones running this short list. The ones that get compromised aren’t running any of it.
Know where you stand
If you’ve never had a security professional look at your site from the outside, the honest answer to “am I exposed?” is “you don’t know yet.” The free check takes a few minutes and tells you what an attacker’s scanner would already see.
Sources: IBM Cost of a Data Breach Report 2025 (global average figure, weighted toward larger enterprises). For WordPress-specific vulnerability data, see the Patchstack Vulnerability Database.
Related Reading
-
The Complete WordPress Malware Guide
Learn what attackers actually do with compromised WordPress sites and what cleanup should include. -
The Rise of Automated Attacks: Why Small Businesses Are Prime Targets
Dive into real-world examples of bot-driven hacks overwhelming unprepared sites. -
Outdated Plugins: The Weak Link in Your Website's Security
Explore how neglected plugins open doors to most WordPress exploits. -
Case Study: The Overlooked Warning — How One Small Business Ignored Security Headers and Lost Everything
A cautionary tale of one site's quick fix turning into a total shutdown.