For small businesses, template websites are the entry into creating your first presence on the web. But  are they a useful shortcut or an invitation to criminals?

Let’s first of all define a template website. Setting up a new website can be daunting for a new business, and a time-consuming and potentially expensive experience. One option of course is to employ a professional web designer and there are occasions when this is the best option. But the rise of do-it-yourself websites, offering simple setup, fixed and competitive costings, and the ability to quickly change in response to your business needs, has proven very popular. The grand-daddy of these is of course WordPress ( used by this website), but all major web service providers now have their own offering, providing a one-stop shop for al your communications, including bundle deals on phones, easy link to social media platforms and so on. Hosted solutions like this mean that you do not have to have your own server, with all the attached issues of maintenance, technical knowledge and updates.

The process is simple – the supplier provides a template, you get to choose a theme that suits your needs, fill in the relevant information and launch your site. You can easily do this in a day. So what’s the problem? In one word, Security. Because the template is universal, default settings are simple and  very often can be used without changing. Bad Actors know this and can quickly use this information to gain access to your site, deny you access, compromise your customers and quickly ruin your new business. We say Bad Actors, because this encompasses both criminal activity and nation-sponsored activity. We’ll talk about why the Governments of Russia, China, Iran or a host of others  may be interested in your site later.

Which is not to say that you should not use template websites in your business. Rather, that you need to take the time to understand how to protect your new site, how it works and how to mend it when it breaks.

So when choosing your template provider, have a look around their site for help on how to secure your site, check the forums for complaints or non-responsive customer support, and ask the provider before you sign up, how they cna help you to secure your site.

The estimable WordPress- based sites ( this is one) have a whole host of information and support forums to help you, and many plug-ins, that tkae the hard work out of securing your site. So check to see if your template provider has a similar capability. Look for security plug-ins, worked examples on how to change your configuration files and .htaccess file, and help for when it goes wrong.

If your site provider uses CPanel, you can check how your pages are being accessed, using AWStats or similar. You may be surprised to see that wp-admin.php ( on WordPress) is getting a hammering. This is indicative of bots trying to find your login and take control of your site. So of course, don’t keep the default login for your new site ( probably ‘Admin’). Change it ( and it’s password) to something else immediately you set up your site, preferably before it goes live. It takes less than 30 seconds for bots to find your site and start to attack it.

Which brings us to the question of why attack my site?

Attacks are not discriminatory, just opportunistic. No one’s actually looking at your site to see if it’s interesting or valuable, they just want access to it. It is often simply to use your site to attack other, more valuable, targets. of course, it may be that your site is interesting to criminals, maybe you store contact details, or credit cards that theycan steal and sell on. Maybe they lock your site and demand a ransom. Or steal intellectual property. So these attacks are rarely personal, simply a cheap and safe way to make money illegally.

in the case of Nation States, it’s different. Although Russia in particular supports and encourages organised crime against it’s enemies, in general, national interests are about creating disaffection, chaos and disorder. Last year ( 2015), we saw concerted attacks on template websites to create massive Distrubuted Denial of Service events, with nation states including Russia, North Korea, China and Iran harvesting poorly defended websites for potential mass attack.

This year the focus has switched to social media, so you may find your site used to boost follower numbers without your knowledge, using your mailboxes, or endorsements. The purpose of this is unclear, it may be to spread disinformation, or create panic through faked posts. Either way, the use of poorly secured template sites is something we can and should prevent.

So, the use of template websites is a great boon to small businesses and individuals, but take care and understand what you are getting before you sign up.