Why Your Business Website Is a Security Risk: What OpenClaw Found in 500 SMB Audits

AlloTech AI — Fri, 19 Jun 2026 13:49:43 +0000

Most small business owners don't think they're a target. The data says otherwise.

We built OpenClaw to help SMBs understand their cyber exposure without needing a security team. Over the past few months, we ran automated audits on 500 small and medium-sized business websites across Canada. What we found was worse than we expected.

The Numbers That Should Scare You

Before we get into specifics, here's the summary:

73% of audited sites had at least one critical or high-severity vulnerability
61% were running outdated software (CMS, plugins, or server stack)
48% had no Web Application Firewall (WAF) in place
34% exposed sensitive files or admin panels to the public internet
22% had SSL/TLS misconfigurations despite showing the padlock icon
11% had hardcoded credentials or API keys in publicly accessible source code

These aren't enterprise-grade targets. These are local restaurants, accounting firms, dental offices, and e-commerce shops — businesses that assume they're too small to be worth attacking. That assumption is wrong.

The 4 Most Dangerous Patterns We Saw

1. Outdated WordPress + Plugins (61% of sites)

WordPress powers roughly 43% of the web. It's also the most attacked CMS on the planet. The problem isn't WordPress itself — it's the plugin ecosystem and the failure to update.

We found sites running plugins with known CVEs from 2021 and 2022. Some had been unpatched for over 18 months. A single vulnerable plugin is enough for an attacker to gain full control of the site, install malware, redirect traffic, or exfiltrate customer data.

What attackers do with this: Deploy SEO spam, steal payment data via injected JavaScript skimmers, or use your server as a launchpad for attacks on others.

2. Exposed Admin Panels and Sensitive Paths (34% of sites)

/wp-admin, /phpmyadmin, /.env, /backup.zip — these paths are scanned by automated bots within hours of a site going live. We found a shocking number of businesses with no IP restriction, no rate limiting, and no two-factor authentication on admin login pages.

Worse: 8% had .env files accessible via browser, meaning database credentials, API keys, and mail server passwords were readable by anyone who knew to look.

What attackers do with this: Brute-force login, steal credentials, pivot to connected systems like email, CRM, or payment processors.

3. No WAF or DDoS Protection (48% of sites)

A Web Application Firewall sits between your site and the internet, blocking malicious traffic before it reaches your application. Nearly half the sites we audited had nothing.

This leaves them vulnerable to SQL injection, cross-site scripting (XSS), and volumetric attacks that can take a site offline in minutes.

What attackers do with this: Inject malicious code into your database, steal form submissions (including contact forms with customer PII), or simply knock your site offline.

4. SSL Done Wrong (22% of sites)

The padlock icon means the connection is encrypted. It does not mean the site is secure. We found sites with mixed content (HTTP assets on HTTPS pages), expired certificates on subdomains, TLS 1.0/1.1 still enabled, and missing HSTS headers allowing downgrade attacks.

Customers see the padlock and trust the site. That trust is not always warranted.

"But I'm Too Small to Be a Target"

This is the most dangerous myth in SMB security.

Attackers don't manually select targets. They run automated scanners across millions of IP ranges, flagging vulnerable sites for exploitation. Being small doesn't protect you — it just means there are fewer people watching when something goes wrong.

The real cost of a breach for an SMB: customer trust lost (often permanently), PIPEDA/GDPR notification obligations, downtime during the busiest periods, and potential liability if customer data is stolen.

One of the sites we audited — a 12-person accounting firm — had an exposed backup file containing client tax returns. They had no idea.

What You Can Do Today (Free)

Run a free scan — Tools like Sucuri SiteCheck, Mozilla Observatory, or OpenClaw give you a baseline in minutes
Update everything — CMS, themes, plugins. Enable auto-updates where possible
Enable 2FA on your admin panel — This blocks the vast majority of credential attacks
Check your exposed paths — Try yourdomain.com/.env and yourdomain.com/wp-admin. If either loads without authentication, fix it immediately
Add a WAF — Cloudflare's free tier includes basic WAF and DDoS protection

What OpenClaw Does

OpenClaw automates continuous security monitoring for SMBs — the kind of ongoing vigilance that used to require a dedicated security team. We scan for vulnerabilities, track changes, and alert you before a problem becomes a breach.

If you want a free audit of your own site, visit allotech.ai.

AlloTech AI builds AI-powered tools for SMB security and automation. OpenClaw is our automated vulnerability assessment platform for small businesses.

How We Built a Voice AI Agent That Handles 200+ Calls/Day Without a Human

AlloTech AI — Fri, 19 Jun 2026 13:00:31 +0000

At AlloTech AI, we run a voice AI agent — codename Hermes — that handles inbound and outbound calls for small businesses. No hold music. No "press 1 for sales." Just a voice that sounds human, understands context, and takes action.

Here's how we built it, what broke along the way, and what actually works at scale.

The Stack

We didn't invent anything here. We stitched together the best tools for each layer:

Telephony: Telnyx (WebRTC + SIP, programmable call routing)
Speech-to-Text: Deepgram Nova-2 (streaming, <300ms first token)
LLM: Claude Sonnet (tool use, low hallucination rate on structured tasks)
Text-to-Speech: ElevenLabs (cloned voice, ~200ms latency with streaming)
Orchestration: FastAPI + asyncio (Python, deployed on a single GPU VM)
Memory: Redis for session state, Postgres for call logs

Total per-call cost at 200 calls/day: ~$0.08–$0.14 CAD depending on call length.

The Hard Problems

1. Interruption Handling

Users interrupt. Always. A voice agent that can't handle barge-in sounds robotic and broken.

Our solution: we stream audio in 100ms chunks and run a Voice Activity Detection (VAD) model in parallel. The moment VAD detects user speech mid-response, we:

Kill the TTS stream
Flush the LLM output buffer
Re-inject the user's new utterance as context
Resume with a fresh completion

This dropped our "agent ignoring user" complaints from ~18% of calls to under 2%.

2. Tool-Call Latency

Hermes books appointments, looks up order status, and creates tickets. Each tool call adds latency. Our target: keep total response time under 1.2 seconds.

What we did:

Parallel tool execution where possible (fetch availability + customer profile simultaneously)
Streamed partial TTS while tool results were still coming in ("Let me check that for you..." buys 800ms)
Cached frequent lookups (business hours, menu items) in Redis with 5-minute TTL

Result: P95 response latency sits at 1.1s. P99 is 2.3s (outliers are Postgres cold queries).

3. Silence Detection

What does your agent do when the user goes silent? Ours used to just... wait. Callers hung up thinking the call dropped.

Fix: after 2.5s of silence post-question, Hermes says a natural filler ("Take your time" or "Still there?"). After 5s, it offers to call back. After 8s, it ends the call gracefully.

4. Persona Consistency

Claude is excellent at following a system prompt, but long calls drift. By call minute 4–5, the agent would occasionally drop the client's business name or use generic phrasing.

Solution: we inject a "persona anchor" into the context every 6 turns — a compressed reminder of the agent's identity, the business it represents, and the current call goal. Drift dropped to near zero.

Results

Metric	Before	After
Avg handle time	4m 12s	2m 48s
Call completion rate	71%	89%
Escalation to human	34%	11%
Caller satisfaction (CSAT)	3.2/5	4.4/5

What's Next

We're working on:

Multilingual support (French/English switching mid-call — critical for Montreal)
Emotion detection (route to human if caller sounds frustrated)
Post-call summaries pushed directly to client CRMs

If you're building voice AI or want to see Hermes in action, reach out: allotech.ai

AlloTech AI — Montreal-based AI automation for SMBs.

DEV Community: AlloTech AI