If you run a small business, there is a reasonable chance you have told yourself at some point that you are not an interesting target for cyber criminals. You are not a bank. You are not a hospital. You do not hold millions of customer records. The logic feels sound — but the data tells a different story. Half of all small businesses in the UK suffered a cyber breach or attack in the last twelve months, and 41% of micro businesses and 50% of small businesses identified breaches or attacks in 2025 according to the UK Government Cyber Breaches Survey. The NCSC and DSIT have responded with a direct campaign built around a blunt message: no business is too small to be a target. That message deserves to be taken seriously.
The reason small businesses are targeted so frequently is not despite their size — it is partly because of it. Automated scanning tools do not discriminate. They probe every accessible system on the internet looking for unpatched software, weak passwords, and misconfigured services. A WordPress site running an outdated plugin presents exactly the same opportunity to an attacker whether it belongs to a sole trader or a listed company. The difference is that the sole trader is far less likely to have the defences in place to stop what comes next.
The financial consequences are not abstract. Significant cyber incidents cost an average of £195,000 for affected businesses. For most small businesses, that figure is not merely damaging — it is potentially terminal. It covers incident response, recovery time, lost revenue, regulatory exposure, and reputational fallout. And the reputational dimension matters particularly for businesses whose primary commercial presence is their website. A compromised WordPress website can be used to deliver malware to the site’s own visitors — meaning your clients, your prospects, and your partners could be harmed directly by an attack on your business. That is not a risk that can be absorbed quietly.
75% of SMB owners now rank cyberattacks as their number one operational threat in 2026. The awareness is there. What is often missing is a structured, practical response to that awareness — something that goes beyond buying antivirus software and hoping for the best.
What Cyber Essentials actually covers, and why it matters for WordPress businesses
Cyber Essentials is a UK government-backed certification scheme that defines five technical controls every organisation should have in place. It is not an academic exercise. The controls are designed to address the most common routes through which businesses are successfully attacked, and each one maps directly onto threats that WordPress-powered businesses face on a daily basis.
- Firewalls — controlling what traffic can reach your systems and filtering out malicious requests before they touch your site or server infrastructure.
- Secure configuration — ensuring that software, servers, and devices are not left in default or unnecessarily permissive states. Poorly configured WordPress installations and hosting environments are a common point of entry.
- User access control — limiting who can do what across your systems. Unused administrator accounts and shared credentials are among the simplest problems for attackers to exploit.
- Malware protection — having active, up-to-date defences against malicious software across the devices used to manage your business and your website.
- Patch management — keeping your operating systems, applications, and — critically for WordPress businesses — your plugins, themes, and core installation updated promptly. Unpatched software is consistently the most common vector in successful attacks against small businesses.
Achieving certification requires you to demonstrate that these controls are genuinely in place, not just nominally adopted. The process also forces an honest audit of where your current defences fall short, which is itself valuable regardless of the outcome.
The commercial case for certification is increasingly concrete. Cyber Essentials certification is now mandatory for many public and private sector contracts, and a growing number of organisations require suppliers to hold it in order to bid for work. If you are pursuing contracts in financial services, healthcare, legal, or government supply chains, the question may not be whether certification helps — it may be whether you can compete without it. Beyond eligibility, the financial protection is measurable: organisations holding Cyber Essentials certification make 92% fewer cyber insurance claims. Insurers have noticed, and many now offer reduced premiums to certified businesses.
Where to start
The NCSC provides a free Cyber Essentials readiness tool that allows you to assess your current position against the five controls before committing to a formal assessment. It is a straightforward starting point and will quickly surface the areas that need attention. The certification itself is available at two levels — Cyber Essentials, which is self-assessed, and Cyber Essentials Plus, which involves independent technical verification. For most small businesses, starting with the self-assessed route is sensible.
If your business runs on WordPress, there are specifics worth addressing before any formal assessment — plugin hygiene, hosting environment configuration, access controls across your CMS, and your update and backup processes. These are not areas where generalised guidance is particularly useful. The decisions you make depend on how your site is built, where it is hosted, and what it connects to.
If you would like a direct conversation about where your WordPress environment stands against the Cyber Essentials controls, and what would need to change to give you a credible shot at certification, get in touch. That is exactly the kind of conversation I have with business owners who are ready to treat cyber security as a commercial priority rather than an afterthought.
