Password Security for Business Websites: A Practical Guide

Sam Hemburyยท30 December 2024ยท12 min readยทBeginner

Learn how to protect your business website with strong password practices. Covers password managers, two-factor authentication, team access, and what to do if you've been compromised.

Key Takeaways

  • 1Most website hacks exploit weak or reused passwords - a password manager eliminates this risk
  • 2Two-factor authentication stops attackers even if they get your password
  • 3Every team member should have their own login - shared passwords are a security nightmare
  • 4When sharing access with agencies, use dedicated accounts with appropriate permissions
  • 5Changing passwords after staff leave or agency relationships end is essential, not optional

Your website password might be the only thing standing between your business and someone who wants to use your site to sell counterfeit Viagra, redirect your customers to scam sites, or steal your customer data.

Dramatic? Maybe. But it happens every day to businesses who thought "it won't happen to me."

Here's what you actually need to know about password security - without the technical jargon.

๐ŸŽฏ
Most hacked sites weren't targeted โ€” they were guessed
Without a password manager and two-factor authentication, your website login is one automated bot away from being compromised. Most hacks exploit the simplest weakness: predictable passwords.

Why Website Passwords Get Hacked

It's Not Personal - It's Automated

Here's something most people don't realise: hackers aren't sitting in dark rooms manually trying to break into your specific website. Instead, automated bots scan millions of websites constantly, trying common username and password combinations.

These bots try:

  • admin / password123
  • admin / admin
  • admin / [your business name]
  • administrator / 123456
  • The email address visible on your site / common passwords

If your password is predictable, a bot will crack it. It's not a matter of if - it's when.

The Reuse Problem

Here's the bigger issue: most people use the same password across multiple sites. When one site gets breached (and data breaches happen constantly), attackers get a list of email/password combinations. They then automatically try those combinations on thousands of other sites.

This is called "credential stuffing" and it's devastatingly effective.

Example: You used your usual email and password for some marketing tool five years ago. That company got breached. Now attackers have your email and password - and they're trying it on your WordPress site, hosting account, and domain registrar.

If you've reused that password anywhere that matters, you're compromised.

The Real Risks of Poor Password Security

Getting your website hacked isn't just an inconvenience. Here's what can actually happen:

Website Defacement

Your homepage gets replaced with something embarrassing, offensive, or promoting illegal products. Your customers see it. Your competitors might screenshot it. Google might index it.

Spam Distribution

Your site becomes a spam relay, sending thousands of emails selling fake watches or worse. Your domain gets blacklisted. Legitimate emails to customers start bouncing.

Malicious Redirects

Visitors to your site get sent to scam sites, phishing pages, or malware downloads. Google may flag your site as dangerous, showing warnings that destroy visitor trust instantly.

Data Theft

If your site collects any customer information - contact details, payment info, login credentials - attackers can steal it. Beyond the immediate damage, this potentially puts you in breach of GDPR with serious legal and financial consequences.

SEO Devastation

Hackers often inject hidden links and pages to boost their own dodgy sites. Google may penalise or remove your site from search results entirely. Recovering your rankings can take months.

Ransomware

Some attackers encrypt your site and demand payment. Without backups, you might face the choice of paying criminals or rebuilding from scratch.

๐Ÿ”—
One weak password triggers a chain reaction
A compromised login doesn't just affect your site. The damage cascades through your entire online presence.
Breach โ€” attacker gets in through a weak or reused password
Damage โ€” spam injected, content defaced, or data stolen
Blacklisting โ€” Google flags your site, emails start bouncing
Revenue loss โ€” customers leave, SEO rankings tank for months

Password Managers: Why They're Essential

A password manager is a secure vault that stores all your passwords and can generate strong, unique passwords for every account.

Why You Need One

Without a password manager, you're either:

  1. Using the same password everywhere (dangerous)
  2. Using simple passwords you can remember (dangerous)
  3. Writing passwords on sticky notes (dangerous and embarrassing)
  4. Forgetting passwords constantly (frustrating)

With a password manager, you:

  • Remember one strong master password
  • Every other password is randomly generated and unique
  • Passwords auto-fill when you need them
  • Your team can share access securely

Which Password Manager?

For Solo Business Owners:

  • Bitwarden - Free tier is excellent, paid is cheap (less than $1/month)
  • 1Password - Polished experience, slightly more expensive

For Teams:

  • 1Password Teams - Great sharing and permissions features
  • Bitwarden Teams - More affordable, still solid

Avoid:

  • Saving passwords in your browser without a master password
  • Free password managers from unknown developers
  • Any solution that stores passwords unencrypted

Getting Started

  1. Download a password manager (Bitwarden is a good free start)
  2. Create a strong master password you'll remember
  3. Install the browser extension
  4. Start adding your important logins
  5. Let it generate new, strong passwords when you next change them

The first week feels slower. After that, it's faster and infinitely more secure than whatever you're doing now.

Two-Factor Authentication Explained Simply

Two-factor authentication (2FA) means you need two things to log in:

  1. Something you know (your password)
  2. Something you have (usually your phone)

Even if someone gets your password, they can't log in without that second factor.

How It Works

After entering your password, you're asked for a code. This code comes from:

  • An authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
  • A text message (SMS - less secure but better than nothing)
  • A hardware key (YubiKey - most secure)

The code changes every 30 seconds, so even if someone sees one code, it's useless moments later.

Where to Enable 2FA

Prioritise these accounts:

  1. Email (if someone gets this, they can reset passwords everywhere)
  2. Domain registrar (controls your web address)
  3. Hosting account (controls your website files)
  4. Website admin (WordPress, Shopify, etc.)
  5. Payment processors (Stripe, PayPal)
  6. Social media (especially if linked to your business)

Setting Up 2FA on WordPress

  1. Install a security plugin (Wordfence, Solid Security, or WP 2FA)
  2. Go to the 2FA settings in the plugin
  3. Scan the QR code with your authenticator app
  4. Enter the code to confirm
  5. Save the backup codes somewhere safe (password manager is good)

Takes five minutes. Could save your business.

๐Ÿ›ก๏ธ
2FA stops 99.9% of automated attacks
Even if an attacker has your password, they can't get in without the code from your phone. Microsoft's research confirms 2FA blocks virtually all account compromise attacks. Five minutes to set up, potentially thousands saved.
99.9% of account attacks blocked by 2FA Code changes every 30 seconds 5 minutes to set up on WordPress

Managing Team Access and Permissions

If more than one person needs access to your website, do not share passwords. It's tempting, but it creates serious problems.

Why Shared Passwords Are Bad

  • No accountability - If something goes wrong, who did it?
  • No revocation - When someone leaves, you have to change the password for everyone
  • Password spreading - Shared passwords get written down, emailed, stored insecurely
  • All-or-nothing access - Everyone gets the same level of access

The Right Way: Individual Accounts

Create a separate login for each person who needs access:

WordPress: Go to Users > Add New. Create accounts with appropriate roles:

  • Administrator - Full access (use sparingly)
  • Editor - Can publish and manage all posts
  • Author - Can publish and manage their own posts
  • Contributor - Can write but not publish

Principle of least privilege: Only give people the access level they actually need. Your blog writer doesn't need administrator access.

When Someone Leaves

The moment someone leaves your business or stops working with you:

  1. Remove or disable their account immediately
  2. If they had admin access, change any shared secrets (API keys, etc.)
  3. Review what they had access to
  4. Check for any accounts they might have created

This isn't about trust - it's about good security practice.

Sharing Passwords Safely with Agencies and Contractors

At some point, you'll need to give your web designer, SEO agency, or contractor access to your website. Here's how to do it properly.

Best Practice: Create a Dedicated Account

Instead of sharing your login:

  1. Create a new user account specifically for them
  2. Use their business email as the username
  3. Give them only the access level they need
  4. Document what access they have and when it was granted

When the project ends, disable the account.

If You Must Share Passwords

Sometimes you need to share an existing password (for hosting accounts that don't support multiple users, for example).

Never send passwords via:

  • Regular email (stored forever, easily forwarded)
  • Text message (stored by phone companies)
  • Slack/Teams in plain text (searchable, persistent)

Instead, use:

  • Password manager sharing - Both parties use the same manager (ideal)
  • One-time secret tools - Services like OneTimeSecret or Bitwarden Send create links that self-destruct after viewing
  • Encrypted message - If the person is technical, PGP-encrypted email

Always:

  • Change the password when the relationship ends
  • Keep a record of who has access to what
  • Review access periodically

Questions to Ask Your Agency

Before sharing access, ask:

  • How do you store client passwords?
  • Who at your company will have access?
  • What's your process when a staff member leaves?
  • Will you enable 2FA on accounts you manage?

A professional agency will have good answers. If they seem annoyed by these questions, consider it a red flag.

๐Ÿ“จ
Emailing a password is the same as posting it publicly
Email, text, and Slack messages are stored forever and easily searchable. Use methods that don't leave a permanent trail.
Best: create a dedicated account for the agency (no password sharing needed)
Good: share via password manager (Bitwarden Send, 1Password sharing)
Acceptable: one-time secret tools (link self-destructs after viewing)
Never: email, text messages, or Slack in plain text

What to Do If You've Been Hacked

If you suspect your password has been compromised or your site has been hacked:

Immediate Steps (Do These Now)

  1. Change the password immediately - And make it a strong, unique one
  2. Enable 2FA - If it wasn't already enabled
  3. Log out all sessions - Most platforms have a "log out everywhere" option
  4. Check for unknown users - Look for admin accounts you didn't create
  5. Notify your host - They may have additional tools and logs

If Your Site Was Modified

  1. Don't panic, but act quickly
  2. Document what you see - Screenshots help if you need professional help
  3. Check your backups - You may need to restore
  4. Contact your host - Many offer security assistance
  5. Consider professional help - Cleanup services typically cost ยฃ200-500

After Recovery

  1. Change ALL related passwords - Website, hosting, domain, email, FTP, database
  2. Review who has access - Remove anyone who shouldn't
  3. Enable 2FA everywhere - Don't skip this again
  4. Set up monitoring - Security plugins can alert you to suspicious activity
  5. Schedule regular checks - Don't let this happen again

Check If You've Been Breached

Visit Have I Been Pwned and enter your email address. It shows if your email has appeared in known data breaches. If it has, any password you used on those breached sites should be considered compromised.

Regular Password Hygiene

Good password security isn't a one-time task. Build these habits:

Monthly

  • Check for any security alerts from your password manager
  • Review who has access to your critical accounts
  • Verify 2FA is still working (test it)

Quarterly

  • Review all users with access to your website
  • Remove accounts that are no longer needed
  • Check Have I Been Pwned for new breaches involving your email

When Things Change

  • Staff member leaves - Disable their accounts, change shared passwords
  • Agency relationship ends - Revoke access, change any passwords they knew
  • Service announces breach - Change password immediately
  • New device - Ensure your password manager syncs properly

Yearly

  • Audit all passwords in your manager
  • Update any that are weak or duplicated
  • Review your 2FA backup codes
  • Update recovery email addresses and phone numbers

What You Can Do This Week

Don't let this guide sit in a browser tab forever. Here's what to do right now:

Day 1-2: Get a Password Manager

  1. Download Bitwarden (free) or 1Password (free trial)
  2. Create your account with a strong master password
  3. Install the browser extension
  4. Add your most critical logins: email, hosting, domain registrar

Day 3-4: Enable Two-Factor Authentication

  1. Enable 2FA on your email (most important)
  2. Enable 2FA on your website admin
  3. Enable 2FA on your hosting account
  4. Download an authenticator app if you haven't already

Day 5-6: Audit Current Access

  1. List everyone who has access to your website
  2. For each person, verify they still need access
  3. Check their permission level - is it appropriate?
  4. Create individual accounts for anyone using shared logins

Day 7: Clean Up

  1. Remove accounts for anyone who no longer needs access
  2. Change any passwords that are weak, old, or shared
  3. Check Have I Been Pwned for your email addresses
  4. Set a calendar reminder to review this quarterly

The Bottom Line

Password security isn't complicated, but it does require attention. The basics are simple:

  • Use a password manager - One strong master password, unique passwords everywhere else
  • Enable two-factor authentication - Especially on email, hosting, and your website
  • Give individual access - No shared passwords, appropriate permission levels
  • Revoke access promptly - When people leave, remove their access
  • Stay vigilant - Regular reviews and updates

Most businesses that get hacked weren't specifically targeted. They were low-hanging fruit - weak passwords, no 2FA, no one paying attention.

Don't be low-hanging fruit.

Frequently Asked Questions

Which password manager should I use for my business?
For most small businesses, Bitwarden (free or affordable paid tier) or 1Password (excellent for teams) are solid choices. Both offer browser extensions, mobile apps, and secure sharing features. The best password manager is the one you'll actually use consistently.
Is two-factor authentication really necessary for a small business?
Yes. 2FA blocks the vast majority of automated attacks even if your password is compromised. It takes minutes to set up and could save you thousands in recovery costs. Microsoft research shows 2FA stops over 99.9% of account compromise attacks.
How should I share website passwords with my web designer?
Never email passwords directly. Either create a separate admin account for them (preferred), use a password manager's secure sharing feature, or use a one-time secret sharing tool. Always remove or change their access when the project ends.
How often should I change my website passwords?
The old advice of changing passwords every 90 days is outdated. With strong, unique passwords and 2FA, you only need to change passwords when: someone with access leaves, you suspect a breach, or a service you use announces a data leak.

Sources & References

Tagged with:

SecurityPasswordsBusinessTwo-Factor Authentication
Share this article
Previous article

Website Security Basics Every Business Owner Should Know

Next article

Website Backups: How to Never Lose Everything

Related Articles

Website Security8 min

Website Security Basics Every Business Owner Should Know

A practical guide to website security for non-technical business owners. Learn the common threats, essential protections, and what to ask your web developer.

Website Security8 min

Why WordPress Sites Get Hacked (And How to Prevent It)

An honest look at WordPress security vulnerabilities. Why WordPress sites are targeted, the real causes of hacks, and practical steps to protect your site.

Website Security8 min

SSL Certificates Explained (What, Why, How)

Everything you need to know about SSL certificates and HTTPS, explained without the jargon. Why you need one, how to get one, and what it actually does.

Need Help Implementing This?

Pink Frog Studio builds fast, secure websites that actually get found. Let's chat about your project.

Get in TouchView Our Work
All Website Security articlesBrowse all topics