January 2026
In January 2026 I moved every single client site I run behind the same kind of security a bank would use. Not the websites that take credit cards. Not just the busy ones. All of them — the plumber's five-page site and the law firm's blog alike. Nobody asked me to, and in the vast majority of cases nobody pays a cent extra for it. I did it because the internet got meaner, fast, and it was simply the right thing to do.
Let me explain what changed, and what it actually means for your business.
Why I did this now
Here's the thing about bad actors on the web. For most of my 25 years doing this, the people probing and poking at websites had to put in real effort. Breaking into a site, scraping it, hammering its forms with junk — that took time and skill, so they aimed at targets worth the trouble. A small local business mostly got left alone because it wasn't worth anyone's afternoon.
AI changed that math. The same tools that help me build faster also let the bad guys do their work for almost nothing. What used to take a skilled person a day now runs by itself, around the clock, against everyone at once. The cost of trying to break into your site dropped to basically zero — so now they try, constantly, whether you're a corner bakery or a hospital.
So I had a choice. I could keep treating security as something you bolt on when a site "needs" it, or I could decide that every business I work with deserves the real thing. I picked the second one. If I'm going to run hundreds of sites, I'd rather defend all of them like they matter, because they do — to the people who own them.
What "bank-level" actually means, in plain English
I run every site behind one shared security layer — think of it as a single, very serious front door that every visitor passes through before they ever reach your site. The technology underneath is from Cloudflare, and I manage it centrally so an improvement I make for one client lands for everyone. Here's what's standing at that door, minus the jargon:
- A web application firewall with the industry's standard rulebook. Picture a bouncer who already knows every common trick the troublemakers use to sneak in, and turns them away before they reach the room. That "rulebook" (the OWASP core ruleset) is the same baseline serious operations rely on.
- Bot filtering. A huge share of internet traffic isn't people — it's automated programs. Most are useless or hostile. I let the good ones through and block the rest at the door.
- Rate-limited forms. Your contact form can't be machine-gunned with thousands of junk submissions a minute. If something tries, it gets slowed down and shut out.
- Locked, encrypted connections end to end. The little padlock in the browser, but done properly all the way through — with certificates that renew themselves so they never quietly expire and scare your visitors off. (That's the "Full Strict TLS, auto-renewing certs" part, if you ever hear me say it.)
- The modern fast lane, plus health checks from multiple regions. Your site travels on the current generation of web connection (HTTP/3), and I'm watching from several places around the world at once, so if something goes wrong I know before you do.
You don't have to remember any of that. The one-sentence version: there is now a heavily guarded checkpoint in front of your site, run by me, watched constantly, and shared across my whole fleet so it only ever gets stronger. If you want the longer story of how I host and protect sites, it lives on my cloud hosting page.
The two payoffs nobody talks about
Everyone expects "more secure." Fair enough. But two of the best results of this barely get mentioned, and they're the ones I think you'll actually feel.
1. Your numbers finally tell the truth
This one matters more than it sounds. When bots are crawling all over your site all day, they show up in your traffic reports. Your visitor count looks inflated. Your form gets fake submissions that look like real leads until you read them. You end up making decisions — or judging whether your marketing is working — based on noise.
When I filter the junk at the door, it never reaches your reports in the first place. So the traffic I show you is closer to actual humans, and the leads are closer to actual people who want to hire you. I keep your live keyword rankings, your traffic, and your real inquiries on one screen in the same dashboard you use to edit your site. Cleaner inputs mean that screen is telling you the truth instead of a flattering lie. That's the whole point of honest SEO reporting — and it's why I don't do monthly slide decks. The numbers are right there, real, whenever you want them.
2. Peace of mind — mine and yours
You didn't get into business to think about web application firewalls. You shouldn't have to. The quiet payoff here is that this just stops being something you worry about. No "did we get hacked?" at 2am. No scramble when a certificate expires. No mystery spam flood in your inbox. I carry that load so you can go run the thing you're actually good at.
And to be plain about it: almost nobody pays more for any of this. My hosting is still $150 a year. I rolled this out across every site because keeping you safe isn't an upsell — it's part of the job. I'd rather under-charge and do it right than nickel-and-dime you for the basics.
The short version
AI made attacking small websites cheap and constant, so I made defending them serious and universal. Every site I run now sits behind a bank-grade checkpoint I manage myself. Your reports get more honest, your inbox gets quieter, and you get to stop thinking about it.
If you're stuck on a do-it-yourself host or a template site wondering who's actually watching the door — honestly, probably no one — that's worth a conversation. You can see everything I do, look over work I've shipped, or just tell me about your business and I'll give you a straight answer. No lock-in, no contract games, no surprises. That's the deal.