Every few months, a lawyer emails me in a panic. Their website is down, their host flagged their account for malware, or worse, a client called asking why their firm's site is redirecting to a pharmacy in Eastern Europe. It's always fixable, but it's never fun, and it's almost always preventable.
The security advice most people give lawyers stops at "use a strong password and keep WordPress updated." That's not wrong, it's just wildly incomplete. Your website sits at the intersection of your professional reputation and your ethical obligations to clients. A compromised site isn't just an IT headache, it's a potential Rule 1.6 problem.
Here's what actually matters.
SSL is Not Optional, and it's Not Enough
If your site doesn't have a valid SSL certificate (the padlock in the browser, HTTPS in the URL), stop reading and fix that first. Browsers now actively warn visitors that HTTP sites are "Not Secure," which destroys trust immediately. Most hosts offer free SSL through Let's Encrypt. There's no excuse not to have it.
That said, SSL only encrypts data in transit between your visitor's browser and your server. It doesn't protect your site from being hacked, doesn't prevent malware from being injected, and doesn't mean your server is secure. It's the floor, not the ceiling.
Make sure SSL is configured to force HTTPS on all pages, including your contact form. A contact form that submits over HTTP even while the page shows a padlock is still leaking data.
Your WordPress Login Page is Being Attacked Right Now
This is not an exaggeration. Automated bots continuously scan the internet for WordPress sites and hammer the default login URL (yoursite.com/wp-admin) with credential guessing attempts. This is called a brute force attack, and it happens to virtually every WordPress site regardless of how famous or obscure you are.
Three things address this effectively. First, change the default admin username. "admin" is the first thing bots try. If your WordPress username is still "admin," change it today. Second, enable two-factor authentication (2FA) on your WordPress login. Even if someone guesses your password, they can't get in without your phone. Free plugins like Tiny 2FA handle this without complexity. Third, consider limiting login attempts. The same plugin block IPs after a set number of failed tries, which stops most automated attacks cold.
Keep Everything Updated, Every Single Week
The majority of hacked WordPress sites are compromised through outdated plugins and themes, not through sophisticated zero-day exploits. Developers release updates to patch known vulnerabilities. When you don't apply those updates, you're leaving a door open that's listed on public vulnerability databases that attackers actively monitor.
Log in to your WordPress dashboard weekly. Update WordPress core, every plugin, and your theme. If a plugin hasn't been updated by its developer in over a year and it's not a major plugin, consider replacing it. Abandoned plugins are a liability.
If you're on a managed WordPress host like WP Engine or Kinsta, some updates happen automatically. Verify what your host handles and what it doesn't.
Your Hosting Environment Matters More Than You Think
Shared hosting puts your site on a server alongside potentially hundreds of other websites. If one of those sites gets infected with malware, there's a real risk it spreads to yours through the shared environment. This is called cross-site contamination, and it's a known problem with cheap shared hosting.
This doesn't mean you need to spend a fortune. But it does mean that the $3/month hosting plan your nephew set you up with in 2019 may be costing you more in risk than you're saving in fees. A managed WordPress host with server-level security, automatic backups, and malware scanning runs $20-35/month and is worth every dollar for a law firm website.
Look for hosts that offer: server-side firewalls, automatic daily backups with easy restore, malware scanning and removal, and PHP version management. If your host can't tell you what PHP version your site is running, that's a red flag. PHP 7.4 reached end-of-life in 2022. Running it means running known, unpatched security holes.
Contact Forms and Client Data
Your contact form is a data collection point. Prospective clients submit their name, phone number, the nature of their legal matter, sometimes sensitive personal details. That data deserves specific attention.
Use a reputable contact form plugin that's actively maintained. Configure it to send submissions directly to your email rather than storing them indefinitely in your WordPress database. If your form plugin does store submissions in the database (many do by default), review and delete them regularly. You don't need a searchable archive of every inquiry sitting on your web server.
If you use a third-party form service that stores submissions on their servers, review their privacy policy and terms. You're responsible for where that client data ends up.
CAPTCHA or similar bot protection on your contact form is also worth implementing. Spam form submissions are annoying, but malicious ones can probe for vulnerabilities or be used in social engineering attacks.
Backups Are Your Last Line of Defense
If everything else fails and your site gets compromised, a clean recent backup is what saves you. Without one, recovery means rebuilding from scratch, which can cost significantly more in time and money than prevention ever would.
Your backup needs to meet three criteria to be useful. It needs to be automatic (you won't remember to do it manually), it needs to be stored offsite (a backup on the same server as your hacked site may also be compromised), and it needs to be recent (a backup from six months ago isn't much help).
Daily automated backups stored to a separate location like Amazon S3 or Google Drive are the standard. Plugins like UpdraftPlus make this straightforward. Many managed hosts include this automatically. Either way, verify your backup is actually running by checking the backup date in your plugin dashboard. A surprising number of people discover their backup plugin silently failed months ago only when they need it.
File Permissions and Server Hardening
This gets more technical, but it matters. WordPress files and directories should have specific permission settings that prevent unauthorized writes. Incorrect file permissions are a common vector for malware injection.
The general rule: directories should be set to 755 and files to 644. Your wp-config.php file, which contains your database credentials and security keys, should be set to 600 or 640. If you're not sure how to check this, ask your host or a developer. It takes five minutes to verify and fix.
Also worth doing: disable XML-RPC if you're not using it. XML-RPC is a WordPress feature that allows remote publishing and is frequently exploited for brute force and DDoS attacks. Unless you use an app that requires it, there's no reason to leave it enabled. A single line in your .htaccess file disables it entirely.
Monitor Your Site
You want to know if something goes wrong before a client tells you about it. Basic monitoring can alert you within minutes of your site going down, which means you can respond before the damage compounds.
Free tools like UptimeRobot check your site every five minutes and email you immediately if it goes offline. That's the minimum. Security plugins like Wordfence also send alerts when suspicious file changes are detected, which can be an early warning of a compromise in progress.
Set these up once and they run in the background indefinitely. There's no good reason not to have at least basic uptime monitoring on a professional website.
The Ethical Dimension
It's worth being direct about this. The ABA Model Rule 1.1 on Competence has been interpreted to include basic technology competence, and multiple state bars have issued guidance that reasonable security measures for client data extend to your digital infrastructure. Running an outdated, unmonitored website that handles client inquiries is not just an IT problem. It's a professional responsibility issue.
Most lawyers managing their own sites aren't doing anything malicious, they're just not thinking about their website as infrastructure that needs maintenance. But the standard has shifted. "I didn't know" is a harder defense to make in 2026 than it was in 2015.
Where to Start
If you've read this and realized you're behind on several of these, here's a practical order of operations. Get SSL working and forced on all pages. Change your admin username if it's still "admin." Enable 2FA on your login. Check that automatic backups are running and storing offsite. Update everything. Set up uptime monitoring. Then work through the rest over the following weeks.
You don't have to do it all in one afternoon. But you do have to do it.
If you'd rather hand this off entirely, that's exactly the kind of ongoing work a webmaster retainer covers. I keep tabs on all of this for the law firm sites I manage so the attorneys don't have to think about it. If that sounds useful, take a look at what I offer or just send me an email.