How we implemented layered web security for a group of small business websites – blocking thousands of malicious requests every week that standard protection was letting slip right past.
Small business websites are attacked constantly. Not by sophisticated hackers with specific targets in mind – but by automated bots that scan millions of websites every single day, probing for weaknesses, outdated software, exposed files, and misconfigured security settings.
These clients had what most people would consider “standard” website security in place. A reputable CDN and network protection service, an SSL certificate, and a regularly updated platform. On the surface, they looked well protected.
But when we reviewed what was actually reaching their web servers, the picture was very different. Thousands of malicious requests were passing through their existing defences every week – completely undetected, and entirely unknown to the business owners. No alerts. No logs they could easily read. No visibility at all.
The risk was real. A single successful request of the type we were seeing could have exposed customer data, given an attacker access to the website’s backend, or taken the site offline entirely.
After implementing detailed security monitoring, we were able to see the full picture of what these websites were facing. The attacks fell into several categories – all of which are common across the internet, and all of which are specifically designed to exploit gaps that basic security doesn’t cover.
Bots repeatedly attempting to access hidden configuration files that can contain database passwords and API keys.
Attempts to navigate outside the website’s root directory to read sensitive server files, including system logs and access records.
Automated probing for backup files, database dumps, configuration files, and developer tools left accessible on the server.
Malicious database queries injected into form fields and URL parameters, designed to extract or corrupt database contents.
Sophisticated attempts to run malicious code on the web server – the most serious category of attack, with potential for full site compromise.
Attempts to inject malicious scripts into web pages that would then execute in the browsers of legitimate visitors.
Targeted requests specifically looking for exposed cloud service credentials – a growing and highly lucrative attack vector.
Attempts to trick the server into making requests to internal systems – used to map infrastructure and access restricted resources.
Bots using known scanner signatures to probe for specific software versions, plugin vulnerabilities, and unpatched components.
Requests targeting version control files, editor backup files, and working copies that can expose the entire website’s codebase.
Advanced injection techniques targeting JavaScript application logic – capable of bypassing authentication and altering application behaviour.
Systematic testing of API endpoints and admin interfaces to find those that don’t require authentication or can be manipulated.
Rather than applying a generic, out-of-the-box solution, we took the time to understand each website individually – its platform, its plugins, its legitimate traffic patterns, and its specific risk profile. Security that’s too aggressive breaks real functionality. Security that’s too loose lets attacks through. Getting the balance right requires expertise and ongoing attention.
We began by implementing detailed request-level logging to get a clear picture of what was actually hitting each website – separating legitimate traffic from malicious activity and identifying the specific attack patterns in use.
We deployed and configured a Web Application Firewall – an additional security layer that sits behind standard network protection and inspects every request at the application level. Unlike basic security measures, a WAF understands the content and intent of requests, not just their source.
Out-of-the-box security rules are a starting point, not a finish line. We reviewed every rule against each client’s legitimate traffic and tuned the configuration specifically for their applications – ensuring real users and real functionality were never disrupted.
Security isn’t a one-time job. Attackers adapt, software changes, and new vulnerabilities are discovered constantly. We provide monthly log reviews, threat reporting in plain English, and proactive rule updates – so our clients always know their protection is current.
Within the first week of full implementation, we had blocked over 4,000 malicious requests across the client group – none of which had been stopped by their existing security setup. Every major attack category was covered, with no disruption to legitimate website traffic or functionality.
Equally importantly, the business owners now have visibility they never had before. Rather than simply hoping nothing is wrong, they receive a clear monthly summary of what their website faced and what was stopped – without needing to understand the technical detail themselves.
Default security settings protect against the most obvious threats. But automated attacks are sophisticated, relentless, and specifically designed to probe for the gaps that defaults leave open. For small businesses handling customer data, processing payments, or simply relying on their website to represent them online – the cost of getting this wrong far outweighs the cost of getting it right.
Managed web application security doesn’t have to be complex or expensive. With the right expertise and the right setup, it’s one of the most cost-effective investments a small business can make in its digital presence.
Most small business websites aren’t. Let’s find out where yours stands – and fix it if it needs it.
Get a Free Security ReviewManaged WAF & security monitoring from £49/month. No long contracts.
"I had no idea any of this was happening to my website. Knowing it's being monitored and protected properly is a real peace of mind."
A clean, straightforward layout focused on clarity and ease of use – giving the company a professional online presence that’s simple and effective.
This comprehensive tool helps construction and safety professionals streamline regulatory compliance processes and efficiently manage projects. Key features include: Real-time tracking of building regulation compliance across projects Integrated project diary and status monitoring Process and submission tracking for regulatory requirements Design Review management with colour-coded RAG status indicators Change control system for tracking project variations […]
With a comprehensive range of creative design and development services, my friendly approach ensures every project is crafted with passion and precision from start to finish.
