The internet is getting more dangerous

The conversation we keep having with clients goes roughly like this: “I know AI is going to take over the world eventually, but that is not really my problem right now.” They are right that it is not Skynet. They are wrong that it is not their problem. AI is already here, and it is being used to attack websites and servers faster than security patches can be written to close them.

One number stops people in their tracks. In 2020, the median time between a vulnerability being disclosed and attackers actively exploiting it was around 700 days. By 2025, that figure had fallen to 44 days. By early 2026, analyses of recent attacks put it at under half a day.

The people writing the attacks are using AI to do it faster. The people writing the patches are still human. That gap is not closing. It is widening.

As your hosting provider, we take care of the server side of this. But a significant amount of your risk lives outside our control, in how you and your team handle accounts, passwords, and sensitive information. That is what this piece is about.

None of what follows is theoretical. These are things we have either changed in our own business or actively recommend to every client. None of them require a technical background.

Turn on two-factor authentication everywhere it is offered

Your password being strong is no longer enough. Attackers do not manually guess passwords any more. They use automated tools that try millions of combinations, or they buy lists of leaked credentials from breaches happening every week. If your password is the only thing standing between an attacker and your account, it is not enough.

Two-factor authentication (2FA) means that even if someone has your password, they still cannot get in without a second code, usually from an app on your phone. It is the single most effective thing an ordinary person can do. Enable it on your email, your hosting control panel, your banking, your domain registrar, anywhere it is available.

If you run a team, make 2FA mandatory for any staff account that touches your business systems. One person skipping it is all it takes.

Use a different password for every account, without exception

This is the rule most people know they should follow and most people do not. The reason it matters: when a website gets breached, the attackers get a list of email and password combinations. The first thing they do is try every combination against Gmail, banking, and other high-value services. If you reuse passwords, one breach on a low-stakes site becomes a breach on every site.

The practical solution is a password manager. You remember one strong password for the manager itself, and it generates and stores unique passwords for everything else. We use and recommend Bitwarden, which is open source, independently audited, and free for personal use. 1Password and Dashlane are solid alternatives.

Use plus addressing to know exactly who is selling your data

This one is a favourite. Most email providers support what is called plus addressing. If your email is jane@example.com, you can sign up to any service as jane+acme@example.com, where acme is the name of the company or service you are signing up to. All email to that address arrives in your inbox, usually sorted into a folder named after the tag you used. The company never sees any difference.

Why bother? Because when you start receiving spam to jane+acme@example.com, you know it was Acme that sold or leaked your address. Not a vague sense that something went wrong somewhere. Proof, in the address line. You can then create a filter to automatically delete or block everything sent to that specific address, without touching the rest of your inbox.

This works in Gmail, most Outlook accounts, Apple Mail, and any email hosted with us. It costs nothing and requires no setup. Just start using it next time you create an account somewhere.

Stop sending sensitive information by email or SMS

When you send a password, bank detail, or any sensitive piece of information by email, that message does not just travel to the recipient and disappear. It is stored in your sent folder. It is stored in their inbox. It goes through multiple mail servers on the way. It sits in backup systems and replicated storage on servers around the world indefinitely. “But I deleted it” does not help, because the copies you cannot see still exist.

The same applies to SMS, which offers essentially no encryption and is trivially intercepted by anyone with the right equipment near you.

We changed our own policy at Momentum Hosting. We will not email passwords or receive them by email. When credentials need to move in either direction, we use a zero-knowledge secure link. A zero-knowledge link means the information is encrypted before it leaves your browser, the link expires after it is read once, and even we cannot see what was shared. No copies. No backups. No servers holding the data.

We built our own tool to do this, because when your security depends on how a tool works, “probably fine” is not good enough. It is called Vanishly, and it is free to use.

Treat backups as insurance, not prevention, and check them regularly

We take daily backups of your hosting environment. But your backup strategy should extend to your own business data: documents, databases, files you manage locally or in cloud services. Ransomware, the kind that locks you out of your own systems and demands payment, is one of the most common attacks on small businesses. It does not matter how secure your server is if your local files or cloud accounts are not backed up.

The 3-2-1 rule is the industry standard: three copies of your data, on two different types of storage, with one copy offsite. For most small businesses this means your working files, a local external drive, and a cloud backup service (Backblaze is inexpensive and reliable).

Be sceptical of anything that creates urgency

Phishing is not going away. It is getting more convincing, because attackers now use AI to write emails that are grammatically perfect, contextually relevant, and personalised. The old advice of “look for typos” no longer works reliably.

What does work: healthy scepticism about urgency. Any email, text, or call that asks you to act immediately, verify your account, pay an overdue invoice, or click a link before something bad happens, should make you pause. Legitimate services do not create artificial emergencies. If something feels off, go directly to the service by typing the URL yourself. Do not click the link in the email.

If you receive an email purportedly from us asking for anything unusual, call us. We will not be offended. We will be glad you checked.

Keep software updated, especially anything public-facing

Plugins, themes, CMS platforms, shopping cart software, contact form tools. These all have security vulnerabilities discovered regularly. The patch cycle from “vulnerability discovered” to “active exploitation” is now measured in hours. If your website software is months out of date, it is not a matter of if it gets attacked, it is when.

We handle server-level patching on your behalf. The software inside your website is a different story.

WordPress is the honest example, because it powers a large portion of the websites we host. Nearly every WordPress site we look at has 30 or more pending plugin updates at any given time. The reason they pile up is not laziness. It is a real problem: clicking update on a WordPress plugin can break your website without warning. Plugins conflict with each other, or with your theme, and the result is a blank screen or a broken layout. So people stop updating, because updating feels like pulling a pin.

We cleaned a hacked WordPress site this week. It had more than 30 pending updates. We ran them and the site broke, so we restored it and took a different approach: instead of updating everything, we went through the plugin list and removed everything that was not essential. Fewer plugins means fewer vulnerabilities, and fewer things to update. That is the more sustainable fix.

None of this is difficult

None of what is described here requires a security background. It requires treating your digital accounts with the same basic care you would apply to your physical premises. You lock the door. You have a spare key somewhere safe. You do not hand your key to strangers. The digital equivalent of all of those things is what this piece describes.

If you are still doing things the same way you were five years ago and your thinking is roughly “it has been fine so far,” that is understandable. It has probably been fine so far. But the threat environment has changed fundamentally in the last two years, and the gap between “hasn’t happened yet” and “happened” is closing faster than most people realise.

The businesses that get hit are not the ones that were careless. They are the ones that did not change when the landscape did.

Most of what we have covered takes an afternoon to set up and then costs nothing going forward. That is a reasonable trade for significantly reducing your exposure.

If you have questions about any of this, or want to talk through what applies to your specific setup, get in touch. This is exactly the kind of conversation we are here for.