Security & recovery
Turning an exposed business site into a locked front door
WordPress security hardening for business websites

01The situation
A business came to me with a site that looked fine — it loaded, it worked, it made sales. What they didn't see was how exposed it was underneath. Nothing had gone wrong yet. That's exactly the moment most people ignore security — and exactly the moment it's cheapest to fix.
My belief drives this kind of work: launching a website is the beginning, not the finish line. A site that isn't protected isn't finished — it's just waiting.
02How I approached it
I don't bolt on a security plugin and call it done. Hardening is a layered process, each layer closing a door an attacker would otherwise use:
- Audited the full attack surface — logins, user roles, plugins, themes, file permissions, and server configuration — to find what was actually exploitable.
- Locked down access with strong authentication, brute-force protection, and limited login attempts, since credentials are the most common way in.
- Installed and configured a proper firewall / web application firewall to filter malicious traffic before it reaches the site.
- Brought the whole stack current — core, themes, and plugins — and removed the unused, abandoned ones that quietly become vulnerabilities.
- Set up automated backups and scheduled malware scanning, so if anything ever does happen, recovery is a button, not a crisis.
- Documented what was done in plain language, so the owner understands their own site instead of depending on blind trust.
03The outcome
The site went from silently exposed to actively protected and monitored — firewalled, backed up, updated, and watched. The owner stopped worrying about the thing they didn't previously know to worry about.
This is the work that never makes the news, because when it's done right, nothing happens. That's the whole point.
