Attackers follow checklists too. These are the issues they look for first on small business websites — most of which take less than an hour to fix once you know they're there.
When someone scans your website looking for an entry point, they're not doing something exotic. They're running through a well-known list of common vulnerabilities — the same issues that appear on thousands of websites, never got fixed, and eventually became the way in.
Here are the ones that show up most often on small business websites, what each one actually means, and how to fix it.
HTTP security headers are instructions your web server sends to browsers telling them how to behave when displaying your site. Headers like HSTS, Content-Security-Policy, X-Frame-Options, and Referrer-Policy protect against clickjacking, cross-site scripting, and insecure connections. Most small business websites are missing several of them.
WordPress, Drupal, and Joomla all have a public record of every known vulnerability in every version. When you're running an outdated version, attackers can look up exactly what exploit applies to your site. This is one of the most common entry points for small business website compromises — not because the attacker is skilled, but because the vulnerability is well-documented and the exploitation is automated.
If your WordPress site's admin panel is accessible at /wp-admin from any IP address in the world, that's a brute-force target. Automated tools cycle through password lists against these endpoints constantly. It's not targeted — it's just automated opportunism at scale. The same applies to /phpmyadmin, /cpanel, /admin, and other common admin paths.
DMARC tells email servers what to do when someone sends email claiming to be from your domain without authorization. Without it — or with a DMARC policy of "p=none" — anyone can send phishing emails that appear to come from your domain. Your customers, partners, and employees can receive fraudulent emails that look exactly like they're from you.
An expired SSL certificate immediately breaks the padlock in the browser, triggers security warnings, and tells visitors — and search engines — that your site is not secure. Google deprioritizes sites with SSL issues. Visitors bounce. And in the window between expiration and renewal, your traffic is unencrypted. This is a purely operational failure that's completely avoidable.
Developers sometimes hardcode API keys, database credentials, or internal service tokens into JavaScript files that get served publicly to browsers. This is more common than most business owners realize — it's a development shortcut that gets pushed to production and forgotten. Anyone who views your page source or runs a scan can extract these credentials.
CORS (Cross-Origin Resource Sharing) controls which other websites can make requests to your site's API or resources. A policy set to "allow all origins" (Access-Control-Allow-Origin: *) means any website on the internet can make requests to your API — including malicious ones. For APIs that handle user data or authenticated requests, this is a serious misconfiguration.
You don't need to manually check all of these. A well-designed automated scan covers every issue on this list — and runs them all in minutes.
Ghost checks for all seven of these plus 14 additional security factors: breach data, subdomain exposure, open ports, admin panel paths, redirect chains, technology CVEs, cookie security flags, domain impersonation, API endpoint exposure, and authentication surface analysis.
Ghost checks your site for the issues above plus 14 more — in minutes. Free quick scan, no account required.
→ Run a Free Scan