Every day, thousands of UK business websites are probed for weaknesses. Most attacks are automated: bots scanning for outdated software, exposed credentials, and misconfigured servers. If your site is built on a modern stack like Next.js and deployed to a VPS, you have a strong foundation. But the defaults are rarely enough, and responsibility for security doesn't come bundled with the framework.
This guide covers what every UK business website actually needs in 2026: from Next.js-specific configuration and server hardening, to your UK GDPR obligations and what to do when something goes wrong.
Why UK Businesses Are a Target
UK SMEs are disproportionately attacked because they combine genuine business data (customer records, payment details, email lists) with limited security resources. The UK government's Cyber Security Breaches Survey consistently finds that a significant proportion of UK businesses experience a cyber attack or breach each year, with phishing and exploitation of vulnerabilities the most common vectors.
The shift toward custom-built websites, including Next.js applications on managed VPS environments, has improved performance and SEO control, but it also transfers security responsibility directly to your development team. That responsibility doesn't come with built-in defaults the way a managed SaaS platform might imply.
UK GDPR: Security Is a Legal Obligation
Under UK GDPR, any business that processes personal data (which includes contact forms, newsletter signups, and user accounts) is legally required to implement appropriate technical security measures. A breach that exposes customer data can result in:
- ICO (Information Commissioner's Office) investigations and enforcement
- Fines of up to £17.5 million or 4% of global annual turnover
- Mandatory breach notifications to affected individuals within 72 hours
- Lasting reputational damage that drives customers to competitors
Security isn't optional for UK websites: it's a compliance requirement under Article 32 of UK GDPR. For eCommerce sites with additional obligations around payment data, see our GDPR eCommerce setup guide.
Next.js Security: What to Configure Before You Go Live
Next.js is our preferred framework for UK clients precisely because it gives developers direct control over performance and security. That control comes with responsibility. These are the highest-impact areas to address on any Next.js deployment:
HTTP Security Headers
Next.js does not set security headers by default. Configuring them in next.config.ts (or at your reverse proxy, such as Caddy) closes a wide range of common attack vectors before a request reaches your application code:
- Content-Security-Policy (CSP): Defines which scripts, styles, fonts and external resources are permitted to load. The single most effective defence against cross-site scripting (XSS) attacks.
- Strict-Transport-Security (HSTS): Forces browsers to use HTTPS even if a user types
http://or follows an insecure link. - X-Frame-Options: Blocks your pages from being embedded in iframes on third-party sites, preventing clickjacking.
- X-Content-Type-Options: Stops browsers from MIME-type sniffing, which can be exploited to execute malicious files.
- Referrer-Policy: Controls how much referrer information is sent to external sites when users click outbound links.
- Permissions-Policy:Restricts access to browser features (camera, microphone, geolocation) that your site doesn't need.
A missing or misconfigured CSP is one of the most frequently encountered vulnerabilities on custom-built UK business sites.
Environment Variables and Secret Management
Never expose API keys, database URIs, or webhook secrets to the browser. In Next.js, any environment variable prefixed with NEXT_PUBLIC_ is bundled into the client-side JavaScript and visible to anyone who inspects your source. Secrets should only exist in server-side code: Route Handlers, Server Actions, or middleware.
Audit your .envfiles regularly to confirm nothing sensitive has been committed to version control. Rotate credentials if you're ever uncertain.
API Route and Server Action Protection
Next.js API routes are public HTTP endpoints by default. Without authentication checks and rate limiting, they can be abused for data scraping, brute-force attacks, or triggering expensive server operations. Every route that returns user data or performs a write operation should verify the request is authorised. Rate limiting, even a lightweight solution like Upstash, prevents the most common automated abuse.
Dependency Auditing
Run yarn audit regularly and address high-severity findings promptly. Compromised third-party packages are an increasingly common attack vector across the Node.js ecosystem. Pin critical dependency versions, monitor for security advisories, and keep Next.js itself up to date: security patches are released regularly.
Server Security: Hardening Your Hosting Environment
For UK businesses running Next.js on a VPS, a common setup with Docker and Caddy, server configuration is your last line of defence if the application layer is ever compromised.
SSH Hardening
- Disable password authentication entirely and use SSH key pairs only
- Disable direct root login over SSH (
PermitRootLogin noinsshd_config) - Install
fail2banto automatically ban IPs with repeated failed login attempts - Restrict SSH access by IP address where your workflow allows it
Firewall Configuration
Use ufw to restrict inbound traffic to only the ports you actually need: typically 80 (for HTTPS redirect), 443 (HTTPS), and your SSH port. Everything else should be denied by default. If your Docker setup exposes container ports directly, be aware that Docker modifies iptables rules in ways that can bypass ufw. This is a commonly missed configuration issue on VPS deployments.
HTTPS and TLS Certificate Management
All UK business websites must serve over HTTPS. Google marks HTTP sites as insecure, browsers display warnings, and UK GDPR requires encryption of personal data in transit. Caddy handles automatic TLS certificate renewal via Let's Encrypt with zero manual intervention, which is one of the reasons we use it for client deployments. If you're using Nginx, ensure automated renewal is in place and monitored. Expired certificates cause immediate ranking and trust damage.
Keeping the Server Updated
Unpatched OS packages are a routine entry point for attackers. Enable automated security updates (unattended-upgrades on Ubuntu/Debian) and periodically review your Docker base image versions for known CVEs. A container running on a two-year-old Node.js image may have multiple unpatched vulnerabilities regardless of how clean your application code is.
Backups
Automated, offsite backups are non-negotiable for any UK business website. Ransomware attacks on SMEs often succeed not because the attacker destroyed data, but because the victim had no clean restore point and faced days of downtime. Daily backups stored in a separate location, tested regularly for restorability, should be baseline. Verify your restore process works before you need it, not after.
Common Threats Facing UK SMEs in 2026
Understanding how attacks typically happen makes defences much easier to prioritise:
- Credential stuffing: Automated login attempts using email and password combinations leaked in other breaches. Affects any site with user accounts. Countered by 2FA and rate-limited login endpoints.
- Supply chain attacks: Malicious code injected via compromised npm packages. Countered by auditing dependencies, monitoring advisories, and using package lock files.
- Phishing targeting admin access: Staff with access to hosting panels, DNS registrars, or Git repositories are targeted with convincing emails. Countered by 2FA on every admin account and basic security awareness training.
- Server misconfiguration: Exposed admin ports, overly permissive CORS settings, or debug modes left active in production. Countered by systematic pre-launch review and periodic audits.
- DDoS during peak periods: eCommerce sites are frequently targeted during high-traffic events. Countered by CDN-level DDoS protection and server-side rate limiting.
Passwords, 2FA and Access Management
Strong access management remains the most overlooked element of website security for UK SMEs:
- Use a password manager (Bitwarden or 1Password) and generate a unique, random password for every service
- Never reuse passwords across your hosting panel, DNS registrar, Git provider, and email
- Enable two-factor authentication on every admin account, prioritising your domain registrar (compromised DNS can redirect your entire site) and hosting provider
- Revoke access for contractors and former team members immediately when the engagement ends
What to Do If Your Site Is Compromised
Speed matters. The longer a compromise goes undetected, the greater the damage to data, Google rankings, and customer trust.
- Take the site offline or activate a maintenance page immediately
- Preserve server and application logs before making any changes. Understanding the attack vector prevents reinfection
- Notify your hosting provider
- Assess your UK GDPR breach notification obligations. If personal data was involved, you may have a 72-hour window to notify the ICO
- Restore from a verified clean backup taken before the compromise
- Identify and patch the vulnerability before bringing the site back online
- If Google flagged the site in Search Console, request a manual review once the site is clean
When to Bring in Professional Help
If you process payments, hold customer records, or operate in a regulated sector, there's a ceiling to what DIY security can reliably cover. A professional UK web agency can implement security headers, harden your server configuration, set up monitoring and alerting, and respond quickly when something goes wrong.
We offer a free website security review and ongoing server management for clients who want proactive coverage rather than reactive fixes. For businesses across Southampton, Hampshire, and the wider UK, our security services cover everything from initial hardening through to incident response.
Frequently Asked Questions
What security headers should every Next.js site have?
At minimum: Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and a Content-Security-Policy. These are configured in next.config.ts and protect against XSS, clickjacking, protocol downgrade attacks and MIME sniffing. Adding Referrer-Policy and Permissions-Policy is strongly recommended for any site handling personal data.
Does UK GDPR require me to have website security measures?
Yes. Article 32 of UK GDPR requires organisations to implement appropriate technical measures to protect personal data. If your website collects any personal data, including contact form submissions and email addresses, you have a legal obligation to secure it. A breach without reasonable safeguards in place significantly increases your exposure to ICO enforcement.
Is Next.js more secure than WordPress?
Next.js has a smaller default attack surface: no plugin ecosystem, no database accessible via WordPress-specific exploits, and no universally known admin URL. However, Next.js security depends entirely on how the developer configures it. A poorly configured Next.js site can be just as vulnerable as a neglected WordPress install. See our Next.js vs WordPress comparison at /blog/nextjs-vs-wordpress-uk-small-businesses for a full breakdown.
How often should I audit my website's security?
At minimum once a year, after any significant codebase change, and immediately following any third-party dependency update that includes a security fix. Sites processing payments or sensitive personal data should schedule more frequent reviews. A good starting point is our free website health scanner at /resources/tools/website-health-scanner.
Can a hacked website affect my Google rankings?
Yes, significantly. Google's Safe Browsing system flags compromised sites and can suppress or remove them from search results entirely, displaying a warning to users before they visit. Rankings can take weeks to recover even after the site is cleaned and a manual review is requested.
