Though WordPress is built to be secure, it’s not entirely safe. It requires regular maintenance, and your responsibility increases even more when you manage your clients’ WordPress.
This WordPress security guide lists effective set-it-and-forget-it ways for freelancers and agencies to automate security for their clients’ WordPress sites. For each new client you onboard, follow this checklist to safeguard against future threats.
Ready? Let’s begin.
-
1
16 WordPress Security Strategies To Safeguard WordPress Sites
- 1.1 1. Choose Secure Hosting for Client Sites
- 1.2 2. Use a Trusted WordPress Theme
- 1.3 3. Track All Sites in One Dashboard
- 1.4 4. Keep WordPress, Themes, & Plugins Updated
- 1.5 5. Strengthen Security with Solid Security
- 1.6 6. Enable 2FA and Limit Login Attempts
- 1.7 7. Assign Required Users Permissions
- 1.8 8. Block Spam Automatically
- 1.9 9. Automate WordPress Backups
- 1.10 10. Set Up Automatic Malware Scans
- 1.11 11. Protect Against DDoS Attacks with a CDN
- 1.12 12. Install SSL Certificates
- 1.13 13. Remove Unused Themes and Plugins
- 1.14 14. Log Out Idle Users Automatically
- 1.15 15. Enable a Web Application Firewall (WAF)
- 1.16 16. Outsource Support for Client Sites
- 2 Start With The Right Foundation
- 3 FAQs on WordPress Security for Freelancers Who Manage Clients
16 WordPress Security Strategies To Safeguard WordPress Sites
As much as WordPress security is about following best practices, it’s equally important to use reliable, trustworthy tools you can set and forget. With that said, here are the WordPress security strategies, along with the right tools and actionable steps to implement them correctly.
1. Choose Secure Hosting for Client Sites
Setting up a strong foundation is crucial. For WordPress sites, this starts with choosing secure, WordPress-optimized web hosting. All your clients’ site data will be stored in web hosting, so using a trustworthy host, such as SiteGround, is crucial.
Choosing SiteGround’s WordPress-optimized hosting plan is perfect as it offers complete security—it’ll take care of most of the strategies we’ll discuss in this post.
For example, with SiteGround, you get the Security Optimizer and Speed Optimizer plugins for free, so you don’t have to purchase third-party options. It auto-installs and updates the WordPress version to keep it up to date. Finally, it includes advanced caching solutions, a web application firewall (WAF), daily backups, and free CDN and SSL certificates.
SiteGround is known for its award-winning 24/7 customer support, so you won’t have to be available for your clients 24/7. You can leverage SiteGround’s support to respond to your clients when you’re unavailable. To simplify things as you’ll be managing multiple clients, going with web hosting that takes care of most things for you is smart and logical.
SiteGround offers much more than we discussed. Read this post to learn about SiteGround’s WordPress-optimized hosting features so you can use them to their full potential.
2. Use a Trusted WordPress Theme
Similarly, using a reputable, secure, and trustworthy WordPress theme reduces the risk of hacks or performance issues that could disrupt your clients’ websites. A good-quality theme like Divi also gives you many benefits such as regular updates, HTTPS security, compatibility with plugins, and protection against vulnerabilities.
Divi is a secure WordPress theme trusted by over one million site owners. It’s a highly customizable theme that lets you design any website type and edit every corner of it with its premium suite of tools:
- A visual drag-and-drop builder to design a site by moving elements
- Divi Quick Sites to generate a fully functioning site in less than two minutes
- Divi AI to let AI create a website for you
- And many tools, such as built-in split testing, thousands of pre-designed page layouts, and hundreds of content elements, to build a unique site.
But what makes Divi truly stand out is its focus on security. Here’s how we make sure Divi is a safe theme for Divi users:
- Regular Updates: We update Divi and fix errors to make it secure and optimized for top performance.
- Compatibility with Security Plugins: Divi is designed to be compatible with popular WordPress security plugins so you can easily enhance your clients’ site security.
- Comprehensive Documentation and Support: You can access our detailed documentation and dedicated support to configure the theme securely and address any security concerns.
- User Authentication and Access Control: The Divi Login Form module allows you to limit access to authorized members only.
- Minimizing Third-Party Dependencies: Divi minimizes potential security risks with external code by reducing reliance on third-party scripts and libraries.
- Performance Optimization: Enhanced performance reduces the risk of Denial of Service (DoS) attacks, indirectly contributing to websites’ overall security using Divi.
Your clients may not, but you know the importance of security, so use a secure theme like Divi for all their sites. Divi is not only safe but also perfect for agencies and freelancers. With Divi’s yearly membership of $89, you get unlimited downloads and installs, so there is no need to purchase separate licenses for each client—one Divi membership is enough to manage your portfolio sites.
3. Track All Sites in One Dashboard
Managing multiple WordPress sites manually without a tracking tool can quickly get out of hand. Logging in to different WordPress dashboards, remembering usernames and passwords, and keeping track of updates can become overwhelming. That’s why you should use a WordPress Site Manager like Divi Dash.
Divi Dash is a WordPress Site Manager that lets you ensure your clients’ sites are always up to date. You can track your clients’ WordPress, plugins, and theme updates in one dashboard. It also shows you site health, database, and WordPress reports so you can optimize all websites in one place without logging in to individual sites. You can use Divi Dash for these tasks:
- Bulk update WordPress, plugins, and themes
- Schedule automatic updates for plugins, themes, and WordPress
- One-click login to your clients’ WordPress dashboards
- Optimize WordPress database by deleting spam comments, trashed posts, etc.
- Monitor and fix site health issues in advance
- Collaborate and assign user roles to team members
A WordPress management dashboard simplifies maintaining security for many sites in one place. With Divi Dash, you can optimize it even more by automating updates to avoid the risk of overlooking, which could lead to threats in the future.
The best part is that Divi Dash is completely free with your Divi membership. When you purchase your Divi membership for $89, you get access to Divi Dash in your Elegant Themes Membership area—so there is no need to pay separately for a WordPress Site Manager.
Get Divi Dash (Free With Divi)
4. Keep WordPress, Themes, & Plugins Updated
Leaving WordPress, plugins, and themes un-updated is like leaving doors open for threats to enter. Without regular updates, your clients’ sites become vulnerable, as these updates generally address critical security issues. So, the most essential thing to do to secure your clients’ sites is to keep WordPress, themes, and plugins up-to-date.
However, it’s easier said than done, especially for freelancers and agencies managing a portfolio of sites. It’s manually challenging, except that it’s not—with Divi Dash, which lets you bulk update and schedule automated updates for different WordPress sites in a few clicks and in one dashboard.
You can update everything using the Update Everything button at the top right of the Updates section. You can review individual plugins, themes, or websites by visiting Websites, Themes, and Plugins. You can also automate updates on a specific day and time so you can set it and forget about it.
Make it a rule to keep WordPress, themes, and plugins latest. Divi Dash (free with your Divi membership) makes managing WordPress a breeze. You can bulk-update or schedule automatic updates to avoid keeping track of everything.
5. Strengthen Security with Solid Security
Updating WordPress, plugins, and themes isn’t enough to increase site security. You need a dedicated WordPress security plugin like Solid Security to enable the necessary settings and automatically protect your clients’ sites.
Key Features of Solid Security
- Malware Scanning
- Brute Force Attack Prevention
- Two-Factor Authentication (2FA)
- Limit Login Attempts
- Strong Password Enforcement
- File Permission Checks
- Disable XML-RPC (for DDoS attacks and brute force attempts)
- Change Default WordPress Login URL
- Disable Directory Indexing
- IP Whitelisting for wp-admin
- Automatic Database Backups
- HTTP Security Headers
- User Activity Logging and Monitoring
- File Change Detection and Alerts
By using Solid Security, you can automate many crucial security tasks, minimizing the risk of human error while ensuring that your clients’ WordPress sites are continuously monitored and protected.
Many of the tasks mentioned in this post can be handled with this plugin alone!
However, just installing the plugin is not enough. You need to configure the correct settings to deploy the best security. Here’s our in-depth tutorial on configuring Solid Security.
6. Enable 2FA and Limit Login Attempts
Multiple users logging in and out of WordPress can risk security. Therefore, you need to keep track of WordPress user logins. You can do a few things, like set up 2FA, limit login attempts, and hide the WordPress login URL.
First, setting up 2FA allows only authorized users, such as your client, you, and team members, to access WordPress. To set up 2FA, you can install the Solid Security plugin, which allows successful login only if the user enters the correct authentication code.
Next, you should limit login attempts. Hackers try multiple password combinations to gain unauthorized access. By setting a limit, you reduce the risk of these attacks and protect sensitive data. Solid Security also lets you set up brute force protection.
Finally, you need to hide your clients’ WordPress login URLs, making it difficult for hackers to guess usernames and passwords. Use Solid Security’s Hide Backend setting to modify the login URL and hide the default one. It’s one of the best security plugins, but you can also check JetPack for more features.
7. Assign Required Users Permissions
You also need to ensure that only the necessary permissions are assigned to team members with specific user roles so that limited people have full site access. Ideally, your client should have admin access, but they may not manage their site that often. For those situations, you can assign access to trusted team members.
Unlike the WordPress role editor, Divi Dash and Divi Role Editor allow you to manage user access at a granular level easily.
Add more users, delete a user, and log in to a site with a single click. Divi Teams also works with Divi Dash, so all your team members can access Divi Dash for free. They don’t need to track down usernames and passwords for all your clients—Divi Dash will store them with each client and user profile.
Using Divi Role Editor, you can alter access permissions for different user roles for each client based on their specific requests. For example, to restrict shop managers’ access to Divi Page Builder, Disable the Page Builder settings for the Shop Manager.
Use Divi Dash and Divi Role Editor to monitor user access and protect your client sites against unauthorized access. By granting team members only the necessary permissions, you can also protect critical pages like administrator settings.
For added security, you should also regularly monitor user activity on your clients’ sites. To automate this step, install the WP Activity Log plugin, which tracks and notifies you about suspicious activity.
8. Block Spam Automatically
As your clients’ websites grow, the risk of spam comments and form submissions increases. To avoid manually cleaning up spam, use Solid Security for automated protection:
- Blacklist Features: Block known spam IP addresses or entire ranges to prevent access.
- reCAPTCHA Integration: Integrate Google reCAPTCHA to protect email, comment, and contact forms, ensuring that only real users can submit entries.
- Bot Blocking: Prevent bots from spamming through comment sections, contact forms, and registration forms.
While Solid Security provides strong general protection, you can further enhance your defense by adding a specialized anti-spam plugin like CleanTalk, which offers real-time spam filtering across comments, forms, and WooCommerce pages.
Every once in a while, you can manually optimize your client’s WordPress database using Divi Dash. For a client’s website, scroll to the Optimization section and click Delete All. This will clean spam comments and trash items.
By combining Solid Security, CleanTalk, and Divi Dash, you can effectively protect your clients’ sites from spam while streamlining the cleanup process.
9. Automate WordPress Backups
WordPress sites need to be backed up regularly so that when a hacker harms your site, you can quickly restore the unharmed version and restore your site. As a freelancer or agency, manually backing up each site can be challenging, especially when you have to do it daily.
You can automate regular backups such that the latest version of your client’s site is downloaded and stored in cloud storage automatically every day without your involvement. With UpdraftPlus, it’s possible.
It creates daily backups, stores them on cloud storage, and protects the stored data by encrypting it.
UpdraftPlus also includes an easy-to-use migration tool that lets you copy your entire website or move it to a new host with just a few clicks. This makes updating your site quicker, reduces downtime, and removes the usual hassle of transferring a website.
Read our in-depth UpdraftPlus review to configure it correctly and enable more settings to increase your site security.
10. Set Up Automatic Malware Scans
Skipping regular malware scans can make your clients’ websites easy targets for hackers. This can lead to stolen information, lower search rankings, and lost client trust.
However, manually checking each site takes time, and you might miss some threats. To make things easier, use JetPack, which automatically scans for security issues and detects threats in real-time, keeping the sites safe without you needing to monitor them constantly.
Another great option is Solid Security, which also offers robust malware scanning and automated monitoring.
This way, you automate malware scans for all your client sites and protect them against online threats. You don’t do it manually; the plugin does it. You just get notified of any suspicious activity so you can take action promptly and avoid mishaps.
11. Protect Against DDoS Attacks with a CDN
DDoS, short for distributed denial of service, attacks mean flooding your site with spam traffic to make it inaccessible to real users. The more popular your site, the easier it gets affected by DDoS attacks.
Without a CDN, WordPress sites can easily be overwhelmed by DDoS attacks, where too much traffic could make the site slow or even crash. A Content Delivery Network (CDN) like Cloudflare helps protect your site by spreading the traffic across many servers worldwide. This keeps the site running smoothly during high traffic and makes pages load faster for visitors.
If you’re using Siteground, you’d get Cloudflare with its WordPress hosting plans. Since Cloudflare and Siteground are integrated, activating Cloudflare on your WordPress site and configuring DNS records becomes easy.
12. Install SSL Certificates
Clients often overlook installing an SSL certificate, but they don’t know it dramatically affects their site security. Without HTTPS encryption, data between users and the site can be tampered with, which could expose sensitive information.
That’s not a problem if you’re using trustworthy and secure WordPress hosting services. Hosts like Siteground make activating an SSL certificate easy. Go to SSL Manager and enter the domain you’d like HTTPS encrypted.
13. Remove Unused Themes and Plugins
You’d wonder what the harm is in keeping unused themes or plugins. The problem is that, when left un-updated, these themes and plugins can make sites vulnerable to attacks.
As important as keeping everything updated is removing unused themes and plugins. To do this, you can use Divi Dash to review each client site individually. The inactive themes and plugins are marked Inactive. Select and uninstall them.
This is a one-time practice, but make it a regular exercise to remove unwanted themes and plugins to keep your site secure and optimized for fast performance.
Get Divi Dash For Free With Divi Theme
14. Log Out Idle Users Automatically
Some of your team members leave their WordPress logged in after finishing their work for the day. This could lead to hackers hijacking your clients’ sites after they’ve hacked your team members’ devices. That’s why you need to log out of WordPress users automatically once they’ve become inactive.
To fix this, install the Inactive Logout plugin, which automatically logs idle users out after some time. Set the time you’d like to log out of users after inactivity, and that’s it.
15. Enable a Web Application Firewall (WAF)
A Web Application Firewall (WAF) is a security tool that monitors and filters incoming traffic to protect WordPress sites from malicious attacks such as SQL injections, cross-site scripting (XSS), and DDoS attacks. Enabling a WAF is crucial as it adds an essential layer of protection to your clients’ sites and prevents vulnerabilities from being exploited.
The good thing is that Cloudflare offers a built-in WAF as part of its service, allowing you to shield your clients’ websites from various cyber threats without needing to configure a WAF system separately.
16. Outsource Support for Client Sites
Even after doing everything right, your clients’ sites will experience minor bugs or errors that could give hackers a vault to enter. That’s why you should regularly monitor sites and fix any bugs and issues as they appear.
The problem is, with many sites, how do you keep up? If you’re a Divi user and have opted for Divi VIP, you can extend premium support to your clients at no extra cost.
This means both you and your client get 24/7 support with a 30-minute or less response time. Whenever there’s a problem, Divi experts are there to fix it without your intervention. Not to forget that with Divi VIP, you get exclusive discounts on Divi Marketplace.
Start With The Right Foundation
The security of your clients’ WordPress sites depends on a solid foundation. With the right WordPress host and a powerful theme, you can protect your clients from many threats. Siteground and Divi is a secure combination with irresistible benefits:
- Siteground offers WordPress-optimized hosting with built-in security features like Cloudflare, security plugins, daily backups, caching solutions, and top-class support for site issues.
- Divi is an all-in-one, highly customizable WordPress theme and page builder (that also works on a third-party theme) with unique features like split testing, conditions, a theme builder, etc., to help you build stunning websites for your clients.
- Divi includes more. For example, access to premium plugins (Bloom and Monarch) for social media and email opt-ins, Divi Quick Sites to generate websites in minutes, unlimited installs and downloads, and premium support to give you complete solutions for running clients’ sites efficiently.
- Divi Dash is free with your Divi membership, which costs only $89/year. You don’t need to pay for a separate WordPress site manager to manage client sites.
Leave A Reply