I Audited 21 Local Businesses' Websites — Here's What I Found

I scanned 21 local service businesses — HVAC companies, plumbers, electricians, auto repair shops — using nothing but free, publicly available tools. No hacking. No exploitation. Just looking at what's already visible on the internet about their infrastructure.

The results were worse than I expected.

I'm not naming the businesses. The point isn't to embarrass anyone — it's to show what "normal" looks like for a small business website, and why that normal is dangerous.

What I Did (And Didn't Do)

I want to be clear about methodology. Everything I did is passive reconnaissance — looking at publicly available information. No passwords were guessed. No systems were accessed. No vulnerabilities were exploited. This is the same information any person (or bot) on the internet can see.

The tools:

• Shodan InternetDB — A free API that returns what ports, services, and known vulnerabilities are visible on any IP address. One HTTP request per business.
• DNS lookups — Checking DMARC, SPF, and DKIM records to see if email spoofing protection exists.
• HTTP probing — Visiting publicly accessible URLs to check for exposed admin panels, default configurations, and outdated software.
• SSL certificate checks — Verifying encryption status and expiration dates.

This took about 15 minutes per business. The data was already indexed. I just looked at it.

The Findings

76% had no DMARC protection

16 of the 21 businesses had either no DMARC record at all, or a DMARC record set to p=none — which means it's monitoring only, not actually blocking anything.

Why this matters: Without DMARC enforcement, anyone can send emails that appear to come from your business domain. Not phishing emails that say "click here" — emails from billing@yourbusiness.com with your real logo, sent to your real customers, with a fake invoice attached.

This isn't theoretical. The FBI's Internet Crime Complaint Center reported $2.9 billion in losses from business email compromise in 2023 alone. Small service businesses are frequent targets because their email infrastructure is weak and their customers trust invoices without question.

38% had database ports exposed to the internet

8 of the 21 businesses had MySQL or MariaDB (port 3306) open to the public internet. In a properly configured setup, your database talks only to your web server — never to the outside world.

An exposed database port doesn't automatically mean someone can read your data. They'd still need credentials. But it means the door is visible and unlocked — and the only thing between an attacker and your customer records is the strength of a password that was probably set by whoever configured the hosting account three years ago.

Three of those 8 businesses also had browser-based database administration tools (phpMyAdmin or Adminer) accessible at predictable URLs. That turns a credential-guessing attack from a terminal exercise into a web form.

43% had known CVEs on their infrastructure

9 businesses had servers running software with published Common Vulnerabilities and Exposures (CVEs). These aren't theoretical bugs — they're documented security holes with public exploit code available.

The most common were outdated SSH versions and unpatched WordPress installations. One business had 14 known CVEs on a single IP address, including a remote code execution vulnerability in OpenSSH that would give an attacker shell access to the server.

57% had WordPress admin login pages publicly accessible

This one is almost universal. The default WordPress login page at /wp-admin or /wp-login.php was accessible on 12 of the 21 sites. Combined with weak passwords (which are common when the site was built by a friend-of-a-friend web developer), this is the most straightforward path into a small business website.

29% had SSL certificates expiring within 60 days

6 businesses had certificates nearing expiration with no auto-renewal configured. When the cert expires, customers see a browser warning that says "this site is not secure." Some will click through. Most will leave. And Google penalizes sites with expired certificates in search rankings.

The One That Worried Me

I'm not naming this business, but one site — a local plumbing company — had a combination of issues that together create a realistic, end-to-end attack scenario.

• MySQL database exposed to the internet
• phpMyAdmin accessible via browser
• No DMARC record (email spoofing possible)
• 14 known CVEs including an SSH remote code execution vulnerability
• WordPress admin login exposed
• Running on shared hosting, meaning other businesses on the same server are at risk too

Individually, each of these is a problem. Together, they form a chain: access the database through the exposed admin panel (or exploit the SSH vulnerability to get shell access), export the customer list, and use the lack of DMARC protection to send spoofed invoices to real customers using real data.

A teenager with a YouTube tutorial could execute the first half of this chain. A motivated attacker with basic scripting skills could automate the whole thing.

The business owner has no idea any of this is visible. They paid someone to build a WordPress site, it works, customers find them on Google, and that's the end of their relationship with their web infrastructure.

Why This Matters for Your Business

You might be thinking "I'm a plumber, not a tech company — why would anyone target me?"

Because you're easy. Not because you're valuable (though your customer data is). Because your defenses are weak compared to larger businesses, and attackers know this. The FBI and CISA have repeatedly highlighted small businesses as the fastest-growing target for cyberattacks specifically because their infrastructure is unmanaged.

Because you have customer data. Names, phone numbers, email addresses, and — critically for service businesses — home addresses. You know when your customers aren't home because you scheduled the service call. That data has value to bad actors.

Because a breach notification destroys trust. If customer data is exposed, most states require you to notify every affected customer. For a local business that runs on reputation and referrals, that notification is devastating. The repair cost isn't the IT bill — it's the customers who never come back.

What You Can Do

The good news: most of these issues are fixable in an afternoon, and they don't require hiring a security team.

1. Check your DMARC record. Go to MXToolbox and enter your domain. If it says "No DMARC record found" or shows p=none, your email can be spoofed. Your hosting provider or IT person can set up enforcement in under an hour.

2. Ask your hosting provider about open ports. Call them and ask: "Are any database ports (3306) or FTP ports (21) open on my server?" If they are, ask them to close them. This is a configuration change, not a project.

3. Update your WordPress. Log into your WordPress admin panel and update everything — core, plugins, themes. Set up automatic updates if your host supports it.

4. Enable SSL auto-renewal. Most modern hosting providers offer this. One setting change, never worry about expired certificates again.

5. Move your WordPress login behind a non-default URL. Plugins like WPS Hide Login do this in two minutes.

If you're not sure where you stand, I offer a free passive security scan for small businesses. Same methodology I used here — no exploitation, just looking at what's already public. I'll send you a report showing exactly what's visible about your infrastructure and what to fix first.

Get your free security scan →