What leaves your website exposed (and how to check yours in 2 minutes)
The doors most websites leave open without realising, why they cost the owner money and visitors, and how to check the state of yours without being technical.
Most of the websites we review haven’t been hacked by anyone. They’re simply exposed: they have open doors the owner can’t see, because nobody told them they were there. You don’t need a sophisticated attack to have a problem; it’s enough for something to sit outdated for months until, one quiet day, an automated bot finds it.
This isn’t scaremongering. It’s the difference between a site that works and a site that holds up. And it can almost always be seen from the outside, without touching anything. Here are the most common exposures, what they mean for your business, and how to check them yourself.
1. Anyone can send emails in your name
Your business has a domain —yourcompany.com— and your emails go out from it. What almost nobody configures are the three records (called SPF, DKIM and DMARC) that tell the world which servers are allowed to send mail in your name. Without them, anyone can send an email that shows up as [email protected] and lands clean in the inbox: your employees’, your customers’, your suppliers’.
This isn’t theory. It’s the basis of the frauds that hit small businesses hardest: “CEO fraud” (an email that looks like it’s from management asking for an urgent transfer) and the fake invoice (an impersonated supplier asking to be paid into a different account). They work because the email looks legitimate —and, technically, your domain has never said anywhere that it isn’t.
What it means for you: they don’t need to attack you directly; it’s enough to use your name to fool others. A customer who gets a fake invoice “from you” loses money and trust, and the blame, fair or not, splashes back on you. Setting up those records is free and slams the door shut.
How to see it: this isn’t visible in the browser, but it can be checked in seconds without touching anything. Search Google for “check DMARC”, enter your domain and see whether a policy shows up. If it comes back empty or says “none”, your name is up for grabs.
2. The site says more than it should
Many sites loudly advertise what technology they run and which version: “WordPress 5.8”, “PHP 7.2”, the server name, the installed plugins. Anyone can read this in seconds. And here’s the problem: if that version has a known, published flaw, you’ve handed an attacker the map and the key at once.
Real attacks aren’t hooded figures picking you out. They’re bots crawling the internet, testing millions of sites, looking for exactly those old versions with known flaws. They don’t choose you: they find you.
What it means for you: an outdated site isn’t a “just in case” risk; it’s a statistical, constant one. The longer it goes without updating, the more likely a bot lands on the combination that opens your door. And when it gets in, the usual outcome isn’t visible damage: it’s injected spam, redirecting your visitors elsewhere, or quietly stealing data for weeks.
3. The security instructions for the browser are missing
A modern site can give instructions to the visitor’s browser: “don’t let anyone load me inside another site”, “always force the secure connection”, “don’t run scripts I haven’t authorised”. These are the security headers, and they’re free: they cost no performance, they’re invisible, but they close entire families of attacks at once.
The vast majority of sites don’t have them set. Not because they’re hard, but because nobody took care of it.
What it means for you: without them, your site is open to being visually “hijacked” (showing your brand inside a scam), to having content injected, or to having your users’ sessions stolen. With them, many of those attacks stop being possible. It’s the difference between leaving the key in the lock and bolting the door.
4. Slow is also a way of being exposed
This surprises a lot of people, but speed is business security. A site that takes more than 3 seconds to appear loses visitors before they even see what you sell. Google measures it (they’re called Core Web Vitals) and uses it to decide your position in the results.
What it means for you: this isn’t technical vanity. Every extra second is people leaving, carts abandoned and positions lost to a faster competitor. A slow site costs you money every day, whether you see it or not.
5. And if something happens? The question almost nobody can answer
The last exposure can’t be seen from outside, but it’s the most important: when was your site last backed up, and have you ever checked that it can actually be restored?
A backup nobody has tried to restore isn’t a backup: it’s a hope. The day something fails —a plugin that breaks the site, an attack, human error— the difference between “fixed in an hour” and “we lost two weeks of work” is exactly that.
How to know where you stand
The first four exposures can be measured from the outside, without access to your site and without installing anything. That’s why we built Analyse your site: you enter your address and it tells you, in plain language, how fast, accessible and well-kept it is — with the real numbers underneath in case you want to verify it.
It’s not a substitute for a deep audit, but it gives you an honest snapshot in two minutes. If something comes up red, it doesn’t mean you’ve been hacked; it means there’s a door worth closing before someone tries it.
And if you’d rather we looked at it and told you what to close first, tell us about your site. The first review is no strings attached: we tell you how it stands and what we’d do, no jargon and no surprises.