Is my website hackable?
Short answer: every website is probed by automated attacks, no matter how small. The useful question is whether yours has the specific weaknesses those bots look for. Here they are — and how to find out for sure.
This guide is deliberately not scary. Most small-site hacks are opportunistic and preventable — a bot finds a known weakness and exploits it automatically. Close the common weaknesses and you stop being the easy target. Here’s what to look at, in the order attackers actually look.
The 7 signs attackers look for first
1. Outdated CMS, plugins, or themes
The single biggest cause of small-site compromises. When a vulnerability in a popular plugin is published, bots begin exploiting it within hours — against every site running that version, everywhere. Self-check: log into your CMS and count the pending updates; anything more than a few weeks old is exposure. Abandoned plugins (no update in a year+) are worse than outdated ones.
2. Exposed admin panels and login pages
If /wp-admin, /admin, or a database panel like phpMyAdmin is reachable from the open internet, bots will find it and start guessing passwords the same day. Self-check: open an incognito window and try your own admin URLs. If they load without a VPN or IP restriction, at minimum enforce strong unique passwords and 2FA.
3. Missing security headers
Headers like Content-Security-Policy, HSTS, and frame protection are free browser-level defenses against script injection and clickjacking. Missing headers also signal to attackers that nobody is minding the shop. Self-check: free header scanners (or our free passive check) will grade yours in seconds.
4. No HTTPS, or a weak TLS configuration
A missing or misconfigured certificate lets attackers intercept traffic on shared networks and tells browsers to warn your visitors away. Old protocol versions and expired certificates count too. Self-check: look for the padlock, then run your domain through a TLS checker — the padlock alone doesn’t tell you the configuration is strong (more on that below).
5. Forgotten subdomains and staging sites
That staging.yoursite.com or old.yoursite.com from a redesign two years ago is often running unpatched software with default passwords — and it’s discoverable through certificate logs and DNS records. Self-check: list every subdomain you remember creating, then check what a certificate-transparency search returns for your domain. The difference between the two lists is your forgotten attack surface.
6. Leaked credentials from breach dumps
If you or a team member reused a password that appeared in someone else’s breach, attackers will try it against your admin login — this is called credential stuffing, and it’s fully automated. Self-check: search your email addresses on a reputable breach-notification service, and make sure no admin account reuses a password from anywhere else.
7. Exposed files and backups
Files like .env, backup.zip, .git directories, or database exports left in a public folder can hand an attacker your credentials and entire database in one request. Bots request these exact paths on every site they scan. Self-check: harder to do safely yourself — this is one of the first things a manual audit verifies.
The padlock myth: HTTPS is not the same as secure
The most common misconception we hear: “My site has the padlock, so it’s secure.” HTTPS does one job — it encrypts data in transit between the visitor’s browser and your server, so it can’t be read on the way. That matters, and you should have it. But it says nothing about the application itself.
A site can have a flawless certificate and still run a plugin with a known exploit, let logged-out users read paid content, or accept an admin password that’s in every breach dump. Phishing sites overwhelmingly use HTTPS too — the padlock is table stakes, not a security assessment. Signs 1, 2, 5, 6, and 7 above are all invisible to the padlock.
What to do next, by budget
- $0 — start with the free check. Our free passive check looks at what your site already exposes publicly — headers, TLS, visible software, exposed panels — with no login and no impact on your site. Pair it with the free security tools in our store for the self-checks above.
- $49 — full manual audit. A human engineer tests all 7 signs plus the things no scanner can: business logic, access control, and authentication flows. You get a written report with severity, evidence, and exact fixes — suitable to share with customers. Honest caveat: this is a productized small-site scope, not a multi-week enterprise engagement, and we’ll say so if your app needs more.
- $299 — audit plus fixes plus cover. Everything in the audit, then we fix the high and critical issues with you, re-test, and keep watch for 3 months. Best when you don’t have a developer on hand to action the report.
Every paid option starts only after you verify domain ownership and sign a recorded Authorization to Test, and both carry a 14-day money-back guarantee before the audit begins. Full details on the pricing page.
Common questions
Can small websites really get hacked?
Does HTTPS mean my site is secure?
How do hackers find my website in the first place?
How often should I check my website’s security?
What happens if my website gets hacked?
Is a free security check actually useful, or is it a sales gimmick?
Keep reading
Find out for sure — free
Run the free passive check on your domain. It covers several of the 7 signs above — no login, no charge, no impact on your site.