My strategy for securing WordPress websites. The internet is filled with unscrupulous people. Are you doing everything you can to ensure your clients’ portion of it is safe by securing their WordPress websites? I recently published a podcast episode and article on earning extra income by offering website maintenance plans. Part of that strategy is making sure the websites you manage are secure. I received many questions afterwards asking how I secure my clients’ WordPress websites. There are many ways and many tools available for securing a WordPress website. Here is the method that works for me. WordPress Security. Those two words, “WordPress Security” may sound intimidating to the uninitiated. Let me assure you they’re not. If I can learn how to do this, so can you. I’m not a programmer. I’m not even a developer. I’m just a WordPress user who figured out a security strategy that works for me. What is WordPress Security? WordPress security involves putting measures in place to decrease the chance of someone compromising a website. If you sell WordPress Security as part of your website maintenance plan, be sure to tell your clients there are no guarantees. If a skilled hacker is determined to gain access to a website, they will, and there’s not much you can do to prevent it. The purpose of Website security is to make it as difficult as possible for them, so they leave your site alone and go in search of an easier target. Most hacking attempts are easily preventable with a few simple measures. Here’s what I do. Securing Account Login. By default, every WordPress installation provides easy access for administrators to gain entry to a site through the URL domainname.com/wp-login.php. This default makes the WordPress login page the most attacked part of any website. So how do you secure the account login? Hide the backend I use iThemes Security Pro to hide the backend of every website and replace the login page with something else. If anyone tries entering the site via the /wp-login.php page, they’ll be taken to a 404 page not found page instead. This is more of security by obscurity, and is not a very strong strategy, but if it helps prevent automated bots and such, then why not do it? iThemes Security Pro > Security > Settings > Advanced > Hide Backend Force the use of a strong password. The stronger the password, the harder it is to crack. Forcing a strong password makes it more difficult to gain access to a site. iThemes Security Pro allows me to force the use of strong passwords. New site users must enter a strong password to create their account, and existing site users are forced to update their weak password when they next log in. iThemes Security Pro > Security > Settings > Password Requirements Prevent the use of compromised passwords. One of the main vulnerabilities of passwords is their reuse. Many people think up a good password, but then they use it everywhere. All it takes is for one database breach containing their user name and password, and a hacker can gain access to wherever the two are used in combination. iThemes Security Pro connects to the haveibeenpwned API and refuses any compromised passwords. As part of this prevention method, I recommend all my clients use a Password Manager such as 1Password to create strong, unique passwords for every site they visit. iThemes Security Pro > Security > Settings > Password Requirements Limit Login Attempts. Even a strong password may be guessed if given enough time. So as an extra measure, I turn on Brute Force Protection in iThemes Security Pro to prevent the number of failed login attempts. I have it set so that three failed login attempts will lock a user out of the site for 15 minutes. After their third lockout, it bans the IP address from even viewing the website. iThemes Security Pro > Security > Settings > Local Brute Force Protection Two-Factor Authentication. Two-Factor Authentication, sometimes called 2FA, adds an extra step to the login process. The way it w