← Back to blog
securitychecklistkenyasme

Website Security for Kenyan SMEs: A 10-Point Checklist (Hackers Target Small Businesses Too)

Newtrum Team··6 min read

Your business is a target. Yes, yours.

"I'm too small. Hackers don't care about me." This is what every Kenyan SME owner thinks before their website gets defaced, their customer data stolen, or their M-Pesa account drained. 43% of cyberattacks target small businesses — precisely because they have weak security. Here's your 10-point protection plan.

The 10-point website security checklist

1. Use strong, unique passwords everywhere

Not "admin123". Not your phone number. Not "password". Use a password manager (Bitwarden is free) to generate and store 16-character random passwords for:

  • WordPress/admin login
  • Hosting control panel (cPanel)
  • FTP/SFTP credentials
  • Database (phpMyAdmin)
  • Domain registrar

2. Enable two-factor authentication (2FA) everywhere

2FA means even if someone steals your password, they can't log in without your phone. Enable 2FA on:

  • WordPress (Google Authenticator or similar)
  • Google Workspace / email
  • Hosting provider (if they offer it)
  • Social media accounts linked to your site

3. Keep everything updated

Outdated software is how 80% of hacks happen. Set up:

  • Automatic updates for your CMS (WordPress can do minor updates)
  • Weekly check for plugin/theme updates
  • Monthly check for PHP version updates (hosting provider)
  • A calendar reminder if you don't have automated maintenance

4. Install a Web Application Firewall (WAF)

A WAF blocks malicious traffic before it reaches your site.

  • Free option: Cloudflare free tier (includes basic WAF, SSL, CDN) — highly recommended
  • Paid options: Sucuri, Wordfence Premium (KES 5,000-15,000/year)

5. Daily automated backups stored offsite

If you get hacked, you need a clean backup. Backups on the same server as your site are useless (hackers delete them too).

  • Daily backups stored in a different location (Google Drive, Dropbox, separate cloud storage)
  • Keep 30 days of backups minimum (so you can go back before the hack)
  • Test your backups every 3 months (try restoring to a test site)

6. Limit login attempts

Hackers use bots to try thousands of password combinations. Stop them with:

  • Limit login attempts plugin (WordPress, free)
  • Lockout after 3-5 failed attempts
  • CAPTCHA on login page (Google reCAPTCHA free tier)
  • Change default login URL (from /wp-admin to something custom)

7. Remove unused plugins and themes

Every unused plugin or theme is a potential backdoor. Even if deactivated, hackers can exploit vulnerable code.

  • Delete plugins you're not actively using (not just deactivate — delete)
  • Delete unused themes (keep only your active theme and default WordPress theme)
  • Do this monthly

8. Secure M-Pesa integration

If you accept M-Pesa on your site, attackers will target it.

  • Never store M-Pesa API keys in your database (use environment variables)
  • Rotate API credentials every 90 days (Safaricom allows this)
  • Monitor transactions daily for anomalies (multiple small failed attempts)
  • Use webhooks to confirm payments, not just frontend scripts

9. Regular security scans

You can't fix what you don't see. Run scans:

  • Free: Wordfence free plugin (daily scan)
  • Free external: Sucuri SiteCheck (manual, but good for spot checks)
  • Paid: Jetpack Security (KES 5,000-10,000/year)

10. Educate your team (and yourself)

Most hacks start with a human mistake — clicking a phishing email, sharing a password, using an unsafe Wi-Fi network.

  • Never share passwords via WhatsApp or email
  • Don't log into your website from public Wi-Fi (coffee shop, hotel) without a VPN
  • Verify unexpected emails asking for logins or payments (call the sender)
  • Delete suspicious emails immediately

What to do if you've already been hacked

Don't panic. Follow this sequence:

  1. Take your site offline immediately (rename .htaccess or use maintenance mode)
  2. Contact your hosting provider — they may have a clean backup
  3. Change ALL passwords (hosting, FTP, database, admin, M-Pesa API keys)
  4. Scan for malware (Wordfence, Sucuri, or hire a pro)
  5. Restore from a clean backup (if you have one)
  6. If no backup, rebuild from scratch (painful lesson)
  7. If customer data was exposed, report to Office of Data Protection (ODPC) within 72 hours — it's the law

How much does security cost?

  • Free: Cloudflare (basic WAF, SSL), strong passwords, removing unused plugins
  • Low (KES 5,000-15,000/year): Premium security plugin, daily backups, 2FA
  • Professional (KES 20,000-50,000/year): Managed security service, hack repair retainer, regular audits

The cost of recovering from a hack (lost sales, customer trust, repair bills) is almost always higher than prevention.

Need a security audit?

We offer website security audits for Kenyan SMEs. We'll check your passwords, backups, plugins, and M-Pesa integration — and give you a prioritized fix list.

Message us on WhatsApp for a free security checklist and a fixed quote for a full audit.

Ready to grow your business online?

Send us a quick WhatsApp message. We reply with a fixed quote within 24 hours.