Thanks for the quick replies. My idea is that it would be more of a one-time instance that gets him on these peoples' radar, but if the whole situation didn't make sense, I might need to rethink the storyline. Basically, it goes like this:
Guy shows his friend some basic hacking stuff he can do (accessing a neighbor's webcam, for example)
He then shows him how to hack into a website
Depends on how/where the website is hosted, but that's quite a broad skillset. Most webcams are hacked due to poor home network security and lazy use of admin passwords on devices (the old classic "admin, admin" credentials scenario). A website should be more secure than that - especially if it belongs to a criminal enterprise. Furthermore, most servers that aren't hidden behind a VPN which requires credentials, MFA etc are secured by IP address. So you would have to find out one of the IP addresses and then simulate it.
The website turns out to be for a business that acts as a front for a "white-collar" drug dealing business
There may be a really obvious answer to this that I am missing - but why would drug dealers have a website that links to their illegal activities? If they are storing drug transactions in a database and haven't secured it, then they are quite possibly some of the dumbest criminals alive. Any data storage should/would be encrypted and most of the systems I have worked on, the database is hosted on a different server to the website. Furthermore, finding a "complete data picture" in a database (which would obviously relate to criminal/drug activities) would take knowledge and skill. Most database have complex designs and require lengthy analysis to understand their contents without documentation. Unless you understand their architecture/purpose, you're not going to work it out in a few minutes (unless you have tables/views named "murders", "drug dealers", "customers" etc)
Criminals generally prefer to operate via mobile phones (burners), because they can be disposed of and replaced very simply. (Look up "County Lines" in the UK for an example). It's also far cheaper than hosting enterprise level solutions.
The drug dealers notice the website has been accessed, find out who it was, and blackmail him into helping them
How? Unless your MC is stupid enough to start copying/moving stuff about - or the criminals are checking login logs (which seems unlikely if their security is so sloppy), they probably wouldn't know. If they aren't prepared to pay to host the site securely, I can't see them investing heavily in intrusion detection.
I was trying to keep it as simple as possible, but even then I want to make sure that it's a plausible (maybe unlikely, but still realistic) scenario. For example, would he be able to access any sensitive information from hacking this website? Would it be encrypted/firewalled? And would the drug dealers be able to track his IP address and in turn shut down or control his system?
See above.
I don't want to be a killjoy and I applaud you for taking something like this on, but as others have suggested, if you're serious about this, you need to spend some time doing some research. Both from a hacking, but also a system architecture perspective. You have to understand the fundamental design/concepts before you defeat them.
If you are sure you want to use the hack website approach (and don't want to spend a few weeks learning the basics of IT), why not make him hack a neighbours computer and access if that way? A single persons lapse is more likely than an organisational one. As I said above, the weakest part of computer security is the person sat in front of a keyboard.
Good luck