Website security in layers, not luck
Most business websites are protected by hope and a padlock icon. Real website security is layered: patched software, a firewall, daily malware scans, hardened logins and backups that restore. We build and run every layer for a fixed monthly price.
What a compromise really costs
Six layers that stop almost everything
Attacks are automated, so defence has to be systematic. Each layer catches what the previous one misses. This is what we run on every site we protect.
Patching, on time
Most hacks exploit vulnerabilities patched weeks earlier. We update core, plugins, themes and PHP promptly, with checks afterwards. Old PHP matters too: see our PHP upgrade service.
Web application firewall
A WAF filters malicious traffic before it reaches your site: SQL injection, brute-force floods, known exploit probes. The cheapest layer per attack it blocks.
Daily malware scanning
File integrity and malware scans every day, plus blacklist monitoring, so an infection is caught in hours. If a scan finds something, removal starts immediately.
Hardening the targets
Login protection and strong authentication, XML-RPC locked down, file permissions corrected, database prefixes and configuration secrets secured. Boring, and devastatingly effective.
SSL done properly
Certificates installed, auto-renewed and monitored for expiry, with the whole site forced to HTTPS. Encryption is table stakes; letting a certificate lapse still takes sites offline every day.
Backups: the last line
When every other layer fails, a clean, off-server, test-restored backup is the difference between an hour of downtime and a rebuild. See website backups.
Two ways to spend money on security
The best incidents are the ones nobody notices
Before: quiet, cheap, invisible
Prevention is unglamorous. Updates applied on a Tuesday, a firewall rule added, a login attempt blocked from an IP in a country you do not trade with. Nothing to see, which is the point. Our uptime and security monitoring watches around the clock and a human investigates every alert, so incidents become non-events.
- 1-minute uptime checks with instant alerts, 24/7
- Malware, blacklist and SSL expiry monitoring included
- From £29 a month, cancel any time
Rescue available, prevention recommended
After: loud, expensive, public
The other way is the phone call: the site is redirecting to a pharmacy scam, Google is warning visitors away, email is bouncing because the domain is blacklisted. We handle those too, calmly and fast, through our hacked website repair service. But every rescue we do would have been cheaper as a year of prevention.
- Full clean, backdoor closure and blacklist removal for £249
- 30-day re-infection guarantee on every rescue
- Hardening applied afterwards so it does not happen twice
How visible is your website on Google right now?
Run our free SEO checker. It scans any page in about 30 seconds and shows the exact issues holding back your rankings.
Website security plans
Start with monitoring, step up to full care, or call us for a rescue. Prices exclude VAT.
Uptime & Security Monitoring
Know before your customers do. Monitoring with real alerts and action.
£29 /month
£290 /year
- 1-minute uptime checks, 24/7
- Instant email and SMS alerts
- Malware and blacklist monitoring
- SSL expiry monitoring
- Monthly uptime report
- We investigate every incident
Professional Care
For business sites where downtime costs money. Our most popular plan.
£119 /month
£1190 /year
- Everything in Essential
- 60 minutes of development time every month
- Same-day emergency response
- Speed and Core Web Vitals monitoring
- Monthly accessibility scan
- Phone and email support, 7 days
Hacked Site Rescue
Malware removed, site restored, Google warnings cleared.
£249 one-off
- Full malware scan and clean
- Backdoors found and closed
- Google blacklist removal request
- Security hardening after cleanup
- 30-day re-infection guarantee
- Incident report for your records
All prices exclude VAT. Cancel monthly plans any time. Secure card and Direct Debit payments powered by Stripe.
Frequently asked questions
How do I make my website secure?
Layer your defences: keep core software, plugins and PHP patched, put a firewall in front of the site, scan for malware daily, harden the obvious targets (login page, XML-RPC, file permissions), serve everything over SSL and keep tested off-server backups. No single layer is enough; together they stop the vast majority of attacks.
How much do website security services cost in the UK?
Our monitoring starts at £29 a month, which covers uptime, malware and blacklist scanning with a human investigating every incident. Full care including patching, firewall, hardening and backups is £119 a month on Professional Care. For comparison, cleaning up a single hack costs £249 plus the trading days you lose.
Why would anyone hack my small business website?
Attackers do not choose you, their bots do. Automated scanners sweep the web for known plugin vulnerabilities and weak logins, then use whatever they catch: your server sends spam, hosts phishing pages or redirects your visitors to scam sites. 43% of cyber attacks target small businesses precisely because they are the least defended.
Is SSL enough to secure a website?
No. SSL encrypts traffic between the visitor and your server, which matters, but it does nothing about outdated plugins, weak passwords, malware or backdoors. A site can show the padlock and be thoroughly compromised at the same time. Treat SSL as one layer of several, not a security strategy.
What does a hacked website actually cost a business?
The cleanup fee is the small part. Add the sales lost while Google shows "This site may be hacked", email that stops delivering because your domain is blacklisted, customers who never trust the site again and the rankings that can take months to recover. Prevention at £29 to £119 a month is cheap against that bill.
How often should website software be updated?
Check weekly, patch promptly. Most compromises exploit vulnerabilities that were publicly patched weeks or months earlier; attackers literally read the changelogs and scan for sites that have not caught up. Our care plans apply updates every week with visual checks afterwards, so patches never wait and never silently break the site.