Skip to content

Nettsider · · 4 min read

HTTPS and basic website security — explained for ordinary businesses

What does the padlock in your browser mean, and what does it really take for a small business website to be safe? A simple guide with no scare tactics.

By Mediseo

You've seen the little padlock next to a web address. Most people know it means "safe", but not what it actually does. Here's what you need to know about HTTPS and basic security — no scaremongering, and no turning you into an expert you don't need to be.

What the padlock actually means

HTTPS is the encrypted version of the connection between a visitor's browser and your website. Encryption means the information sent back and forth is made unreadable to anyone in between. If someone types their name, email or card number into a form, an outsider can't read it on the way.

Without HTTPS, everything is sent in plain text. Think of it as the difference between a sealed envelope and a postcard: the postcard can be read by anyone who handles it. HTTPS is the envelope.

The padlock in the browser only confirms that the connection is encrypted. It does not say the business itself is trustworthy — only that the line is secure. That's an important nuance to know.

Why it's no longer optional

A few years ago, HTTPS was something online shops and banks needed. Today it's expected of everyone.

  • Browsers warn against sites without it. Visitors can see a "Not secure" warning before they even reach your page. That scares people off.
  • Search engines prefer it. HTTPS is a signal Google uses in ranking. Sites without it can end up further down.
  • People expect it. A modern website with no padlock looks neglected, even to visitors who don't know why.

The good news: HTTPS is free and easy to set up. It's called an SSL certificate, and the vast majority of hosting providers offer it at no extra cost. Usually it's just a matter of switching it on.

Security is more than the padlock

HTTPS protects the connection, but it's only one layer. A safe website rests on a few more simple habits. You don't need to be technical to keep them.

Keep everything updated. Most break-ins on small sites happen because something out of date — a content system or an add-on module — had a known hole. Updates close those holes. Set them to automatic where you can.

Use strong, unique passwords. A long password that isn't reused anywhere else is one of the most effective things you can do. A password manager makes this painless.

Turn on two-factor authentication. This means logging in requires the password and a one-time code on your phone. Even if the password leaks, nobody gets in without your phone. Switch it on everywhere it's offered.

Make sure you have backups. If something goes wrong, a recent copy is the difference between a bad day and a disaster. Check that your provider takes them automatically.

The most common threats — in plain terms

The words sound dramatic, but the ideas are simple:

  • Phishing is fake emails or messages that trick you into giving up a password. The most common way into trouble, and it targets people, not machines.
  • Malware is malicious software that can get in via an out-of-date system or an infected file.
  • Spam and bots fill your forms with rubbish. Annoying, but rarely dangerous — and easy to curb with simple filtering.

Notice that the most dangerous of these targets people, not technology. The best line of defence is often that you and your staff know what a fake email looks like.

How much should a small business worry?

A sensible amount. You don't need a security department, and most small businesses aren't a chosen target. But you should have the basics in place: HTTPS switched on, everything updated, strong passwords, two-factor and backups. That covers the large majority of real risk.

What we tend to remind people is that security isn't one big project, but a handful of small habits. Get them in place once and keep them up, and your website is safer than most — without it eating into your time.

Frequently asked questions

Do I need HTTPS if I don't sell anything on the site?

Yes. Even a purely informational site should have it. Browsers warn against sites without it, search engines prefer it, and if you have a contact form, personal details are being sent anyway and ought to be protected.

What's the difference between SSL and HTTPS?

They're connected. SSL is the certificate — the digital "key" that makes the encryption possible. HTTPS is the result you see in the browser once the certificate is in place. In practice, your provider sorts out both.

Is my site hacked if I get a lot of spam in my form?

No, that's usually just automated bots filling in forms all over the web. It's irritating, but not a break-in. Simple spam filtering on the form curbs most of it.

What we can do for you and your business.

Tell us briefly what you need help with — a new website, more visibility on Google, or just a once-over. We get back within a working day, usually with something concrete.

Book a free 20-min callBuild a site with us