· Updated

Lock Down Your WordPress Site in 1 Hour — A Guide for Small Firms

WordPress security

If you're running your practice website on WordPress — and there's a good chance you are — you might think you're too small to be a target for hackers. Well, you'd be wrong. So to prevent your website crashing or leaking client information, let's look at some quick ways to improve WordPress security in about 1 hour.

WordPress powers over 40% of all websites on the internet, and around 1/3 of the small business websites I audit have been living with a hack for months without the owner even knowing it. That's...fairly alarming, not to mention the damage it's doing to your business.

The good news is you don't need to be a WordPress expert or hire me (you can! But you don't have to) to dramatically improve your WordPress security. In this guide, I'll walk you through practical security improvements you can implement in just one hour that will make your site significantly harder to compromise.

Step 1: Install and Configure a Security Plugin (15 minutes)

A robust security plugin serves as your first line of defense against attacks. WordFence is my go-to security plugin for small business sites, and the free version offers enough protection for most of us.

Wordfence banner

Let's install WordFence

  1. Log into your WordPress dashboard
  2. Go to Plugins → Add New
  3. Search for "Wordfence Security"
  4. Click "Install Now" then "Activate"
  5. Follow the setup wizard or go to Wordfence → Dashboard

Key WordFence Settings

  • Enable the firewall in "Learning Mode" initially (it will auto-adjust to your site)
  • Schedule regular scans (I usually do a weekly scan, but this all depends on your WordPress backup schedule)
  • Enable "Block IPs that appear to be attacking this site"
  • Enable login security options like CAPTCHA and limiting login attempts

WordFence will begin monitoring your site for suspicious activity, blocking malicious traffic, and scanning for malware. This single step is going to improve things dramatically, and it only took less time than it takes the McDonalds drive-thru to process the simplest of orders.

Step 2: Implement Two-Factor Authentication (10 minutes)

Adding two-factor authentication (2FA) is perhaps the single most effective security measure you can implement. It ensures that even if a password is compromised, attackers still can't access your accounts without the second authentication factor. Is it inconvenient? Only if your phone is more than an arm's reach away.

Let's add 2FA

  1. In your WordPress dashboard, go to Plugins → Add New
  2. Search for "Two-Factor Authentication"
  3. Choose a reliable plugin (like "Two Factor Authentication" or use WordFence's built-in 2FA)
  4. Install and activate the plugin
  5. Configure 2FA for all admin users
  6. Download and set up an authenticator app like Google Authenticator on your iOS or Android phone

This simple improvement prevents the most unauthorized access attempts to your WordPress dashboard. Scanning a QR code once to set up the authenticator app is a small inconvenience compared to the massive security benefits you'll get from this step.

Step 3: User Management and Password Security (10 minutes)

It's tempting to use 'Admin' and 'Password1234!' to easily remember your WordPress logins, but a bad password instantly makes your site an easy target. Taking control of who has access to your site and ensuring they follow proper password security is critical.

Let's beef up your WordPress user accounts

  1. Go to Users → All Users in your WordPress dashboard
  2. Remove any unnecessary user accounts
  3. Ensure remaining users have appropriate permission levels (not everyone needs to be an Administrator)
  4. Require strong passwords for all users. WordPress will prompt you to do this

Password Best Practices

  • Use a password manager like 1Password or Bitwarden to generate and store strong passwords
  • Ensure passwords are at least 12 characters with a mix of letters, numbers, and symbols
  • Never reuse passwords across different sites (this is critical!)
  • Change admin passwords at least quarterly as part of your WordPress website maintenance routine

I can guarantee that one person in your company is going to complain they can't remember their password with this secure system. And that's the point. If they can remember it, it's too easy and your site will be hacked.

Step 4: Plugin and Theme Maintenance (10 minutes)

Outdated WordPress plugins and themes are the most common entry points for hackers. Regular updates by theme & plugin developers help to patch security vulnerabilities before they can be exploited, so it's a good idea to spend a few minutes getting your site up-to-date at least once a month.

Let's update WordPress

  1. Go to Dashboard → Updates
  2. Update all outdated plugins, themes, and WordPress core
  3. Remove any inactive plugins or themes
  4. Review your active plugins list and consider if each one is necessary

Plugin Best Practices

  • Only install plugins from reputable sources (either the WordPress repository, or well-known companies)
  • Check when plugins were last updated before installing (avoid plugins not updated in the last 6 months)
  • Read reviews and check the support forum for unresolved security issues
  • Limit plugins to those that are necessary for your site to function properly

Step 5: Choose the Right Hosting Environment (5 minutes of research)

Your hosting provider plays a crucial role in your website's security. Not all hosts are created equal — some include security features at the server level, while budget hosts like GoDaddy or Bluehost charge extra for the same protections. It's worth knowing what your current host actually provides.

What to Look For in Secure Hosting

  1. Regular server-side malware scanning
  2. Web Application Firewall (WAF)
  3. Automatic WordPress updates
  4. Daily backups with easy restoration
  5. SSL certificate support
  6. DDoS protection
  7. Strong physical and network security measures

While you may not be able to switch hosts immediately, researching better options takes just a few minutes and can be implemented later. The security benefits of quality hosting cannot be overstated. A good host will also boost your website's speed, which is a nice SEO benefit.

Step 6: Backup Your Website (10 minutes)

UpdraftPlus

Even with the best security measures in place, having reliable backups ensures you can quickly recover if something goes wrong.

Let's set up UpdraftPlus

  1. Go to Plugins → Add New and search for "UpdraftPlus"
  2. Install and activate the plugin
  3. Go to Settings → UpdraftPlus Backups
  4. Set a backup schedule — I'd recommend weekly for most small business sites, daily if you're updating content regularly
  5. Choose a remote storage destination (Google Drive, Dropbox, or Amazon S3 all work well with the free version)
  6. Run your first backup manually to make sure everything works
  7. Verify the backup files appear in your chosen storage location

The key is storing backups somewhere other than your web server. If your site gets compromised, backups sitting on the same server are useless. A remote copy means you can restore from a clean version in minutes, not days.

Step 7: Change Your WordPress Login URL (5 minutes)

By default, anyone can access your WordPress login page at /wp-admin or /wp-login.php. This makes it easy for bots to target your site with brute force attacks. They simply keep trying until they gain access or are blocked by the security measures we implemented in step 1. But wouldn't it be better if we just moved our login page somewhere they can't easily find it? Let's do that.

Change your WordPress login page

  1. Install a plugin like "WPS Hide Login" or use the login URL feature in WordFence
  2. Set a custom, unique URL for your login page (e.g., /my-hidden-login)
  3. Make note of your new login URL (you'll need it to log in. You may laugh now, but you won't when you need me to help you find it)

This step immediately stops thousands of automated login attempts and makes your site much harder to target. And it took barely any time at all to set up.

Step 8: Security Through Common Sense (Ongoing)

Some of the most effective website security measures don't involve any tools at all. They're just common-sense.

WordPress Security Best Practices

  1. Never log in to your WordPress site on public WiFi without using a VPN
  2. Be cautious of emails requesting admin access or password changes
  3. Log out of your WordPress admin area when not in use. Even if there's no security risk, a 5-year old child can wreak havoc (I know this from experience)
  4. Regularly audit user accounts and remove access for former team members
  5. Check your site regularly for unusual behavior or changes
  6. Use unique administrator usernames (not "admin" or your domain name)
  7. Delete the default "Sample Page" and "Hello World" post that reveal your WordPress version

Bonus: Disable File Editing in WordPress Dashboard (5 minutes)

This is the one step that requires touching a line of code. If you aren't 100% sure how to do this, contact me and I'll sort it for you.

  1. Access your site's wp-config.php file (through your hosting file manager or FTP)
  2. Add this line of code just before the "That's all, stop editing!" comment:
  3. define('DISALLOW_FILE_EDIT', true);

WordPress allows administrators to edit plugin and theme files directly from the dashboard. That's convenient for people like me who need to make quick edits, but it becomes dangerous if an unauthorized user gains access to your admin area. This one line shuts that door.

Time's up. Your WordPress site is now secure

By implementing these steps, you've dramatically improved your WordPress site's security in just one hour. These changes create multiple layers of protection that work together to shield your site from the vast majority of common attacks. Does this mean your website will NEVER be hacked? I wouldn't bet my house on it, but I'd wager a decent amount of money that your site will be a really hard target.

This isn't a one-time thing. WordPress security needs to be regularly assessed as part of a website maintenance plan. I'd love to be the guy who does this for you, but you can definitely run a WordPress security audit yourself every month. Just don't forget!

Next steps: Make sure you've also got a solid WordPress backup strategy in place — because even the best security can't guarantee 100% protection. And if you'd rather hand the whole thing off, take a look at my WordPress maintenance service for solicitors, accountants, and consultants.

Next post: Your WordPress Backup Plan: Because 'It Won't Happen to Me' Isn't a Strategy