Sign inBlogSupportContact
Workflow

Lock down your WordPress site in 5 minutes

After a security scare or before going live. Five commands that harden your site without a security plugin.

4 min read May 2026

Something happened. Now what?

Maybe your hosting provider sent an email about brute-force attempts. Maybe you noticed a suspicious admin user you didn't create. Maybe a client's site got defaced and you're cleaning up the aftermath. Or maybe nothing happened yet — you're just setting up a new site and want to get security right from the start.

The instinct is to install a security plugin. Wordfence, Sucuri, iThemes Security — they're powerful, but they're also heavy. Firewalls, malware scanners, login attempt databases, email alerts, settings pages with 50 toggles. For the immediate response — "lock this down right now" — that's more than you need.

Here's a 5-minute lockdown you can run from the navigator before deciding whether a full security suite is necessary.

BackupHide LoginDebugUpdatesLock Site

The five-step lockdown

1
Create a backup immediatelyBefore changing anything, capture the current state. If the site is compromised, this backup is evidence. If it's clean, it's your rollback point. Name it -archive_name=pre-lockdown so you can identify it later.
2
Hide the login pageMove /wp-login.php to a custom URL. Every brute-force bot on the internet hammers the default login URL. Moving it to something like /team-portal makes those attacks hit a 404 instead. The bots don't know what to do with a 404 — they move on.
3
Enable debug modeIf you suspect something was compromised, enable debug capture and browse the frontend. PHP errors, warnings, and deprecated calls show up in the navigator. Malicious code often triggers errors — undefined functions, failed file includes, suspicious file paths in the error log.
4
Check plugin updatesOutdated plugins are the number one attack vector for WordPress. Check what needs updating and apply everything. A known vulnerability in an outdated plugin is an open door — close it.
5
Password protect while investigatingIf the site may be compromised, lock the frontend behind a password wall while you investigate. Logged-in admins bypass it, but public visitors (and bots) see a password form. This buys you time without taking the site fully offline.

When to use each level

Not every situation needs all five steps. Here's how to match the response to the threat:

Preventive (new site setup): Hide login + check updates. Takes 2 minutes. Eliminates brute-force attacks and closes known vulnerabilities before the site is even public.

Reactive (suspicious activity): Backup + hide login + debug mode + check updates. Takes 5 minutes. Preserves evidence, blocks the attack vector, and surfaces any errors left behind.

Emergency (confirmed breach): All five steps. Backup for evidence, hide login to stop ongoing attacks, debug to find traces, update everything, and password-protect the frontend while you clean up. Consider maintenance mode instead of password protection if the site shouldn't be seen at all.

After the lockdown

These five commands handle the immediate response. For ongoing security:

  • Keep the login hidden permanently. There's no reason for /wp-login.php to be publicly accessible. Bookmark your custom URL and share it with your team. Leave it hidden forever.
  • Schedule weekly plugin update checks. Add the check plugin updates command to a Cron Schedule. You'll know within a day when a security patch is available.
  • Schedule weekly backups. If you do get breached again, you want a recent clean backup. Not last month's — last week's.
  • Change all admin passwords. This isn't a command — it's a reminder. If the site was compromised, every admin account password needs to change. Today.

Every command used in this lockdown

Create site backupFull files + database ZIP before making any changes
Hide login pageMove wp-login.php to a custom URL, bots get 404
Debug PHP errorsCapture frontend errors to find traces of malicious code
Check plugin updatesClose known vulnerabilities by updating everything
Password protect siteLock the frontend while you investigate
Ready?

Locked down in 5 minutes.

Every command in this lockdown is included with TrueCommander.

Install in 10 secondsBrowse all commands
Cookies. The short version.

Essential cookies keep the cart and theme working. Analytics only fire if you say yes. Read our policy.