Website Security for Kenyan SMEs: A 10-Point Checklist (Hackers Target Small Businesses Too)
Your business is a target. Yes, yours.
"I'm too small. Hackers don't care about me." This is what every Kenyan SME owner thinks before their website gets defaced, their customer data stolen, or their M-Pesa account drained. 43% of cyberattacks target small businesses — precisely because they have weak security. Here's your 10-point protection plan.
The 10-point website security checklist
1. Use strong, unique passwords everywhere
Not "admin123". Not your phone number. Not "password". Use a password manager (Bitwarden is free) to generate and store 16-character random passwords for:
- WordPress/admin login
- Hosting control panel (cPanel)
- FTP/SFTP credentials
- Database (phpMyAdmin)
- Domain registrar
2. Enable two-factor authentication (2FA) everywhere
2FA means even if someone steals your password, they can't log in without your phone. Enable 2FA on:
- WordPress (Google Authenticator or similar)
- Google Workspace / email
- Hosting provider (if they offer it)
- Social media accounts linked to your site
3. Keep everything updated
Outdated software is how 80% of hacks happen. Set up:
- Automatic updates for your CMS (WordPress can do minor updates)
- Weekly check for plugin/theme updates
- Monthly check for PHP version updates (hosting provider)
- A calendar reminder if you don't have automated maintenance
4. Install a Web Application Firewall (WAF)
A WAF blocks malicious traffic before it reaches your site.
- Free option: Cloudflare free tier (includes basic WAF, SSL, CDN) — highly recommended
- Paid options: Sucuri, Wordfence Premium (KES 5,000-15,000/year)
5. Daily automated backups stored offsite
If you get hacked, you need a clean backup. Backups on the same server as your site are useless (hackers delete them too).
- Daily backups stored in a different location (Google Drive, Dropbox, separate cloud storage)
- Keep 30 days of backups minimum (so you can go back before the hack)
- Test your backups every 3 months (try restoring to a test site)
6. Limit login attempts
Hackers use bots to try thousands of password combinations. Stop them with:
- Limit login attempts plugin (WordPress, free)
- Lockout after 3-5 failed attempts
- CAPTCHA on login page (Google reCAPTCHA free tier)
- Change default login URL (from /wp-admin to something custom)
7. Remove unused plugins and themes
Every unused plugin or theme is a potential backdoor. Even if deactivated, hackers can exploit vulnerable code.
- Delete plugins you're not actively using (not just deactivate — delete)
- Delete unused themes (keep only your active theme and default WordPress theme)
- Do this monthly
8. Secure M-Pesa integration
If you accept M-Pesa on your site, attackers will target it.
- Never store M-Pesa API keys in your database (use environment variables)
- Rotate API credentials every 90 days (Safaricom allows this)
- Monitor transactions daily for anomalies (multiple small failed attempts)
- Use webhooks to confirm payments, not just frontend scripts
9. Regular security scans
You can't fix what you don't see. Run scans:
- Free: Wordfence free plugin (daily scan)
- Free external: Sucuri SiteCheck (manual, but good for spot checks)
- Paid: Jetpack Security (KES 5,000-10,000/year)
10. Educate your team (and yourself)
Most hacks start with a human mistake — clicking a phishing email, sharing a password, using an unsafe Wi-Fi network.
- Never share passwords via WhatsApp or email
- Don't log into your website from public Wi-Fi (coffee shop, hotel) without a VPN
- Verify unexpected emails asking for logins or payments (call the sender)
- Delete suspicious emails immediately
What to do if you've already been hacked
Don't panic. Follow this sequence:
- Take your site offline immediately (rename .htaccess or use maintenance mode)
- Contact your hosting provider — they may have a clean backup
- Change ALL passwords (hosting, FTP, database, admin, M-Pesa API keys)
- Scan for malware (Wordfence, Sucuri, or hire a pro)
- Restore from a clean backup (if you have one)
- If no backup, rebuild from scratch (painful lesson)
- If customer data was exposed, report to Office of Data Protection (ODPC) within 72 hours — it's the law
How much does security cost?
- Free: Cloudflare (basic WAF, SSL), strong passwords, removing unused plugins
- Low (KES 5,000-15,000/year): Premium security plugin, daily backups, 2FA
- Professional (KES 20,000-50,000/year): Managed security service, hack repair retainer, regular audits
The cost of recovering from a hack (lost sales, customer trust, repair bills) is almost always higher than prevention.
Need a security audit?
We offer website security audits for Kenyan SMEs. We'll check your passwords, backups, plugins, and M-Pesa integration — and give you a prioritized fix list.
Message us on WhatsApp for a free security checklist and a fixed quote for a full audit.


