Four layers. Blocks real threats. Stays out of your way.
Security for small business websites fails in two ways: either it's non-existent (nothing configured, everything default) or it's so locked down that legitimate operations get blocked and the developer spends half their time whitelisting. The goal is a baseline that blocks real threats, surfaces real problems, and stays out of your way.
WordPress security has a bad reputation because most WordPress sites are poorly secured. The platform itself isn't the vulnerability — the vulnerability is the combination of outdated core, unupdated plugins, weak admin credentials, and no monitoring. Hit any of those four and you're exposed.
For a business running a sales platform — with customer data, lead records, and active email/SMS communications — the stakes of a breach are higher than "the website looks defaced for a day." It's customer data exposure, reputation damage, and depending on what the site handles, regulatory liability.
Four layers.
Wordfence runs inside WordPress — it intercepts requests at the PHP level before they reach your application code. This catches things Cloudflare WAF misses: WordPress-aware attacks like wp-login.php brute force, XML-RPC abuse, known plugin exploits.
Firewall mode: Extended protection (PHP early launch)
— Runs Wordfence before WordPress loads; even direct-to-PHP
requests that bypass WP routing are caught.
Login security:
— 2FA enabled for all admin accounts
— Lockout after 5 failed attempts / 30-min lockout
— Hide WordPress version from unauthenticated requests
Alerting:
— Admin email on any successful admin login from a new IP
— Admin email on any blocked attack
— Daily malware scan summary
Blocked: xml-rpc.php (no legitimate use case on a modern WP install)
The extended protection mode (early launch) is the most important configuration item. It requires adding one constant to wp-config.php:
define('WFWAF_EARLY_LOAD', '1');
Without this, Wordfence runs after WordPress bootstraps — meaning a fast exploit could get through before the firewall is active. With early launch, the firewall is up before any plugin or theme code runs.
From a security baseline perspective:
wp-login.php and any admin endpointsCloudflare WAF + Wordfence together cover different attack surfaces. Cloudflare blocks at the network/HTTP layer — it never reaches your server. Wordfence blocks at the PHP layer — catches things Cloudflare lets through. They don't conflict; they're defense in depth.
Backups are not backups until you've verified a restore. Most hosting backup systems say "backup completed" and you find out the backup is corrupt when you actually need it. That's the worst possible time.
Backup setup for the Anchor build:
The backup schedule gets verified manually on the first of each month: pull the latest backup, run a restore on staging, verify the site loads and the database is current. Not glamorous but it's the only way to actually know your backups work.
UptimeRobot pings the site every 60 seconds from multiple geographic locations. If the site returns anything other than HTTP 200, it alerts via SMS and email.
Monitor type: HTTP(S)
Check interval: 1 minute
Alert contacts: owner SMS + developer SMS
Alert when down for: 1 check failure (immediate — no grace period)
SSL certificate monitoring: Yes, alert 30 days before expiration
Separate monitors for:
— Homepage (the obvious one)
— Inventory archive (highest traffic page)
— /wp-admin/ (if this errors, there's an application-layer problem)
— Lead form endpoint (if this errors, we're losing leads silently)
Why specific endpoints, not just the homepage: the homepage returning 200 doesn't tell you if your lead form is broken or your inventory pages are erroring. Monitor the things that matter to the business.
Security incidents at small businesses follow a pattern: nothing is configured, the breach goes unnoticed for weeks or months, the cleanup is expensive, the reputation damage is lasting. Most of these are preventable with a competent baseline.
The secondary benefit of this setup is operational visibility. The Wordfence live traffic log and the UptimeRobot alert history give a clear picture of what's hitting the site. Before touching any infrastructure, I check these. They tell me if something changed — a spike in blocked requests, a pattern of 404s from a new referrer, anything that indicates I'm not looking at the baseline I thought I was.
The Anchor build has not had a successful breach since launch. Wordfence blocks several hundred malicious requests per day — mostly automated WordPress vulnerability scanners, wp-login brute force attempts, and known plugin exploit patterns. None have gotten through.
The one incident worth documenting: three months post-launch, UptimeRobot fired an SMS alert at 2am. The site was returning 502. Root cause was a PHP-FPM worker count exhaustion — a traffic spike from a marketplace feed sync hitting at the same time as a scheduled email sequence. Fixed in 20 minutes by bumping PHP-FPM max_children from 10 to 20 on the Cloudways panel.
The alert gave 2am visibility instead of 9am discovery. That's the point of the monitoring setup. You find out when it happens, not when a client calls.
Every lesson stays free — no account, no paywall, no email gate, ever. But if you’d rather have this system standing on your business than wire all 48 lessons yourself, leave your email. We’ll send you a direct line to a build — and you’ll be first to hear when we add new tools to the curriculum.
None of this gates a single lesson. The curriculum was free before you got here and it stays that way.
You came here to understand the system, and now you do. If you’d rather have it standing on your business than spend the next three months wiring it yourself, GAP Concierge is the same architecture from these lessons — a white-label AI agent that knows your catalog and captures your leads — set up for you, from $97/mo.
See GAP Concierge →