Free website audit · a plan and a fair price built around your business · no lock-in

Free audit · a plan built for you · no lock-in

Run a free audit →

The protection that runs quietly under your site

Encrypted, patched, backed up and watched. Your site kept safe, and run for you.

Most small-business sites are secured with a padlock and a hope: HTTPS switched on, and nothing else. No security headers, no content security policy, an old platform nobody patches, no backups, and nobody watching if it goes down. That is how a site ends up defaced, breached, or quietly offline with the first you hear of it being a customer's phone call. We put the whole stack in place instead: HTTPS and modern TLS, security headers and CSP, dependency and platform patching, scheduled backups, and uptime, SSL and domain-expiry monitoring, all on UK and EU-based, GDPR-friendly infrastructure. It is real work, kept current and run for you. Start with a free audit, then we quote it to your business. One bill, no lock-in, and direct support, not a call centre.

  • HTTPS and modern TLS
  • Security headers and CSP
  • Patching and backups
  • Uptime and SSL monitoring
  • GDPR-friendly, close to home

In plain English

Website security is not one product, it is a set of sensible protections kept current and watched. HTTPS and TLS encrypt the connection. Security headers and a content security policy tell the browser how to behave safely and block the common attacks. Patching removes the out-of-date code that attackers rely on. Backups mean you can always roll back. And monitoring means someone knows the moment something is wrong. Skip any one of these and there is a gap; do them all and keep them current, and your site is genuinely safe. That is what this service is, and it is run for you.

How it fits together

One site, six layers of protection, run for you.

Your site sits inside a single, layered set of protections, and every one of them is kept current and watched, so nothing is left switched off or out of date.

How we do it

Audited, closed off, hardened, then watched.

There is nothing for you to configure and nothing to remember to update. We audit the surface, close the gaps, harden the site, and keep it monitored, so the protection is not a one-off but an ongoing thing that is looked after.

  1. 01

    We audit the surface

    The free audit checks your site's security posture as it stands: is it on HTTPS, are the headers present, is the certificate valid, is anything running on out-of-date code. You get an honest read of where the gaps are, not a scare story.

  2. 02

    We close the obvious gaps

    HTTPS and TLS are enforced, the missing security headers and a content security policy are put in place, and the certificate is set to renew automatically. The common attacks the browser can block, get blocked.

  3. 03

    We patch, back up and harden

    The platform and any dependencies are kept up to date, scheduled backups are turned on so there is always a clean version to restore, and the sensible hardening is applied so the site is not left wide open.

  4. 04

    We monitor and keep it current

    Uptime, SSL and domain expiry are watched so nothing quietly lapses, the posture is kept current as things change, and if something breaks it is on us to put right, with one accountable point of contact.

What is included

The whole stack, set up and kept current.

Each of these is easy to skip on its own, which is why so many sites ship without them. It pairs closely with domains, email and security, which locks down the domain the same way this locks down the site.

HTTPS and TLS, enforced

The connection encrypted end to end, http redirected to https, and modern TLS, so browsers and customers see the padlock, not a warning.

Security headers and CSP

The headers most small-business sites ship without, plus a content security policy that blocks injected scripts before they can do any harm.

Dependency and platform patching

The platform and any dependencies kept up to date, because most breaches exploit known holes in old software that were simply never updated.

Scheduled backups

Your site and its data backed up on a schedule, so whatever happens there is always a clean, recent version to roll back to.

Uptime and expiry monitoring

Uptime watched so we know if the site goes down, and SSL certificate and domain expiry watched so neither lapses and takes you offline.

Sensible hardening

The quiet locks: admin surfaces kept out of reach, sensible defaults, and no needless third-party sprawl for an attacker to exploit.

Certificate auto-renewal

Your SSL certificate set to renew on its own, so the site never drops into a browser warning because a certificate quietly expired.

GDPR and EU-hosting posture

Hosted on UK and EU-based, GDPR-friendly infrastructure, with no tracking pixels and no selling of data, ever. Security and privacy, one job.

The difference

Left exposed, or secured properly.

A padlock and a hope is not security. The question is whether the whole surface is protected and watched, or whether one quiet gap is waiting to become a bad day.

Left exposed

  • Runs over plain http, or a half-configured certificate
  • No security headers, no content security policy
  • Platform and plugins left on old, unpatched versions
  • No backups, so a bad day means starting again
  • Nobody watching, so downtime is a customer's phone call
  • The certificate quietly expires and the site warns visitors

Secured properly

  • HTTPS and modern TLS enforced across the whole site
  • Security headers and a content security policy in place
  • Platform and dependencies kept patched and current
  • Scheduled backups, so there is always a clean rollback
  • Uptime, SSL and domain monitored and watched for you
  • The certificate renews on its own, no lapse, no warning

And against the alternatives

Doing it yourself

HTTPS
On if you remembered to enable it
Headers and CSP
Left at the platform defaults
Patching
When you notice, if you notice
Backups
Hopefully, somewhere
When it breaks
You, and a customer's phone call

A cheap web host

HTTPS
Basic certificate, nothing more
Headers and CSP
Not their job
Patching
The server, not your site
Backups
An add-on you pay extra for
When it breaks
A ticket queue and a call centre

UK Web Marketing

HTTPS
Enforced, with modern TLS
Headers and CSP
Set properly, as standard
Patching
Kept current, run for you
Backups
Scheduled and included
When it breaks
One accountable point of contact

Built on protections you can trust

The real protections, kept current for you.

  • HTTPS · TLS Encryption
  • Headers · CSP Browser hardening
  • Cloudflare DNS + edge
  • Scheduled backups Rollback
  • Uptime + SSL monitoring Watched for you

Encryption, browser hardening, patching, backups and monitoring, all on UK and EU-based, GDPR-friendly infrastructure.

A real company, not a Gmail

Built and run by one accountable person.

  • HTTPS Modern TLS enforced across the whole site
  • Patched Platform and dependencies kept current for you
  • UK / EU GDPR-friendly hosting, kept close to home
  • One bill No lock-in, direct support, not a call centre

Nothing to lose

Low risk, all the way through.

  • Free audit
  • An honest read, not a scare story
  • No lock-in, cancel any time
  • You own your code and your data
  1. 01

    Free audit

    An automated look at your site's security posture, so you see where the gaps are.

    Run a free audit
  2. 02

    Close the gaps

    HTTPS, headers and CSP, patching and backups put in place, so the obvious holes are shut.

    Talk it through
  3. 03

    Monitored and run for you

    Uptime, SSL and domain watched, and the whole stack kept current, from £49/mo, no lock-in.

    Get it looked after

Fits your system

One half of a whole that is watched.

Website security sits alongside the domain, DNS and email foundation and the site itself. Each part is set up and run for you as one system, not separate accounts you have to hold together yourself.

FAQ

Website security, answered.

What does website security actually cover?

The whole surface: HTTPS and TLS so the connection is encrypted, security headers and a content security policy so the browser blocks the common attacks, patching so nothing runs on out-of-date code, backups so you can always roll back, and monitoring so we know the moment something is wrong. It is not one product; it is a set of sensible protections kept current and watched for you.

Is HTTPS not enough on its own?

HTTPS is the floor, not the ceiling. It encrypts the connection, which matters, but it does nothing about out-of-date software, a missing content security policy, or an unmonitored site quietly going down. Real security is layered: encryption in transit, headers that harden the browser, patched code, backups, and monitoring. We put the whole stack in place, not just the padlock.

What are security headers and CSP?

They are instructions your site sends to the visitor's browser telling it how to behave safely: which scripts are allowed to run, whether the page can be framed by someone else, that it must stay on https. A content security policy, or CSP, is the strongest of them, it blocks injected scripts before they can do harm. Most small-business sites ship with none of these. We set them properly.

How do backups and patching work?

Your site and its data are backed up on a schedule, so if anything ever goes wrong there is a clean version to roll back to. Patching means keeping the platform and any dependencies up to date, because most breaches exploit known holes in old software that simply were not updated. Both run quietly in the background as part of the service, so you are never the one remembering to do them.

What are you monitoring, and what happens if something breaks?

Uptime, so we know if the site goes down. Your SSL certificate and domain expiry, so neither lapses and takes you offline. And the security posture itself, so a change that weakens it gets caught. If something breaks, it is on us to put right, with one accountable point of contact, not a ticket queue and a call centre.

Do expertly built sites need less patching than WordPress?

Generally, yes. An expertly built site has no sprawl of third-party plugins, which is where a large share of WordPress breaches come from, so there is a far smaller surface to attack and to keep patched. It is not zero, the platform and any dependencies still need updates, and that is exactly what this service handles. But the starting point is a much leaner, safer build.

Where is my site and my data hosted?

On UK and EU-based, GDPR-friendly infrastructure, so your data and your customers' data stay close to home. We only hold what we need to run your site. There are no tracking pixels and no selling of data, ever. Security and privacy are the same job here, done properly and kept that way.

How much does it cost, and is there a contract?

There are no published package prices, because every site is a little different. Start with a free audit, then the work is quoted to your business, with website management from £49/month, one simple bill, cancel any time, no lock-in. Security is part of the managed service, not a bolt-on you pay extra to unlock.

Can you secure a site you did not build?

Often, yes. We audit what is there, add HTTPS and the missing headers, get patching and backups in place, and turn on monitoring. Where the underlying build is too fragile to secure sensibly, we will tell you straight, and an expertly built replacement may be the better value. Either way you get an honest read, not a scare story.

Does this work with the rest of what you run?

Yes, it is designed to. Security sits alongside the domain, DNS and email foundation and the managed website itself, one system, wired together and run for you. The domain-level locks and the site-level protections are two halves of the same job, which is why they are looked after together, not as separate accounts.

Ready when you are

Stop hoping. Get it watched.

Start with a free audit, then a quote built for your business. HTTPS and modern TLS, security headers and CSP, patching and scheduled backups, and uptime, SSL and domain-expiry monitoring, all kept current and run for you on UK and EU-based, GDPR-friendly infrastructure. Website management runs from £49/month, quoted to your business, one simple bill, cancel any time, no lock-in. Want the domain and email side too? See domains, email and security.

Free audit · a plan built for you · no lock-in

Ready to find out exactly what your business needs?

Run a free audit