Hacked Philippine business websites are not a hypothetical. We see at least one fresh case a week — defaced homepages, leaked customer lists, ransomware on the WordPress admin, fake products inserted into legitimate stores. Most of these breaches were preventable with basic security hygiene.
Here are the 10 essentials, ranked by impact. Get these right and you eliminate the vast majority of attacks that hit PH SMEs.
1. HTTPS Everywhere (SSL Certificate)
Your website must use https:// in every URL. Free SSL via Let's Encrypt is standard in 2026 — if anyone is charging you for SSL, fire them. HTTPS encrypts traffic between your visitors and your server, prevents browser warnings, and is a confirmed Google ranking factor.
2. Strong, Unique Admin Passwords
The single most common breach we see in the Philippines: a password the owner used for their personal email also being the admin password for their business website. Use a password manager (Bitwarden free, 1Password paid). Never reuse passwords across accounts.
3. Two-Factor Authentication (2FA) on Every Admin Account
Even with a strong password, breached credentials surface in dark-web dumps weekly. 2FA stops attackers cold. Enable it on hosting, domain registrar, WordPress admin, CMS admin, Cloudflare, email — every admin account.
4. Regular Software Updates
Outdated WordPress, plugins, themes, and CMS installations are the #1 attack vector. Schedule monthly updates. Better: enable automatic security updates where available.
5. Daily Off-Site Backups
When (not if) something goes wrong, backups are what save you. Daily automated backups stored OFF the same server as your website. Tested at least quarterly to make sure they restore correctly.
6. A Web Application Firewall (WAF)
A WAF sits in front of your website and blocks malicious traffic before it reaches your server. Cloudflare's free plan includes a basic WAF. Premium WAFs from Sucuri or Wordfence (for WordPress) add more rules. Either is dramatically better than nothing.
7. Limit Login Attempts
Brute-force attacks try thousands of password combinations per hour. Install a plugin or use server-level rules that lock out IPs after 5 failed attempts. Stops 99% of brute-force attempts without any other security upgrade.
8. Remove or Hide the Default Admin Username
WordPress, cPanel, and most CMSes ship with default admin usernames ("admin", "root", "administrator"). Attackers know this. Rename your admin user to something unique. Same idea for the WordPress login URL — change /wp-admin/ to something custom.
9. Monitor for Unauthorized Changes
A tool like WordFence or Sucuri scans your site daily and alerts you if files change unexpectedly. Catches infections in hours instead of months. For non-WordPress sites, services like StatusCake or UptimeRobot monitor critical pages for unexpected content changes.
10. Have an Incident Response Plan
Decide today: if your website is hacked tomorrow, who do you call? What's your hosting provider's emergency contact? What is your DPO doing? Who notifies customers? Plans written before an incident work; plans written during an incident fail.
For the data-privacy side of website incidents, our Data Breach Response Plan article covers the NPC 72-hour requirements.
The Quick Self-Audit
Score yourself out of 10. One point per item you have today.
- 9 to 10: well-protected
- 6 to 8: workable, but visible gaps
- 4 to 5: at real risk
- Under 4: actively waiting for an incident
Honest answers only.
The Three Quickest Wins If You Are Starting Today
If you cannot do all 10 immediately, do these three first:
- Enable 2FA on every admin account
- Set up Cloudflare's free plan (HTTPS + WAF + CDN in one)
- Schedule daily backups to a separate location
These three alone prevent the majority of attacks we see.
Frequently Asked Questions
Is my web designer responsible for security?
Initial setup, yes. Ongoing maintenance is a separate engagement. Many freelance projects launch secure and decay over time as updates are skipped.
Does Cloudflare free really do all that?
Yes. The free plan includes HTTPS, basic WAF, DDoS protection, and CDN. It is one of the highest-value free tools on the internet for small business security.
What if I get hacked anyway?
Contain first (change passwords, revoke access, restore from clean backup), then assess scope, then notify NPC if personal data was involved within 72 hours. See the data breach response article linked above.
Need a Free Security Audit?
We run free 15-minute security audits for Philippine business websites — score your site against the 10 essentials and tell you the 2 fastest wins. Send us a message at RDahunan I.T. Services.
