Chat – a Yubico key can absolutely be part of protecting your website. The key thing to understand (this is the part people often don’t explain clearly) is what it can protect and what it cannot.

A YubiKey cannot magically lock the public internet by itself. What it can do is enforce hardware-key login for the people allowed to access the site.

So the real solution is:

Password + YubiKey = access to the site

This is called hardware-based two-factor authentication (2FA / MFA) and it’s very strong security.

First: What you’re trying to achieve (translated technically)

You want:

“Nobody can open this website unless they physically have my YubiKey.”

This is possible by placing a login gate in front of the entire website and requiring a FIDO2 / WebAuthn hardware key to pass the gate.

This is very different from normal WordPress passwords.

Think of it as:

Internet → Security Gate → Your Website

No key → no entry.

Important reality check (very reassuring)

Your YubiKey plugs into your computer, but it works through your browser.

When someone tries to open the site:
• The browser asks for the key
• The key proves “this is Ross”
• The site unlocks

So the key does NOT have to be physically plugged into the server at Hostinger.

It stays with you.

Two ways to protect the site

Option 1 — Protect the ADMIN login (recommended baseline)

This protects your WordPress dashboard.

This prevents hackers from taking over your site.

Very important, but it does NOT hide the site from visitors.

This is the minimum you should do.

Option 2 — Protect the ENTIRE website behind a login (what you want)

Visitors must log in before seeing any page.

This is sometimes called:

• Private site
• Members-only site
• Password wall
• Zero-trust access

This is what we will focus on.

The key technology you need

Your YubiKey uses:

FIDO2 / WebAuthn

So the solution must support:

Login → Username/password → Hardware key challenge → Site opens

This is already supported by modern browsers.

Best way to do this on Hostinger (the realistic solution)

Hostinger does not provide this natively.

So we add a security access layer in front of your site.

The best tool for this is:

Cloudflare Zero Trust Access

This is widely used, free for small use, and perfect for your goal.

It acts like a security guard at the door of your website.

Visitors never reach the site until they pass the hardware-key login.

This is exactly what companies use for internal apps.

Why Cloudflare is perfect here

It can require:

• Password
• Email verification
• AND YubiKey hardware authentication

All before the site loads.

Without the key → the site literally does not appear.

This matches your goal perfectly.

How the flow will look

Someone visits your site:

1. They type your website address

2. Cloudflare stops them

3. Login page appears

4. Browser says: “Insert your security key”

5. YubiKey touches → identity confirmed

6. Site opens

No key → no website.

What you need to set up

High-level overview:

Step 1 — Put your site behind Cloudflare

This takes about 15 minutes.

You change nameservers so traffic goes through Cloudflare first.

Hostinger still hosts the site normally.

Cloudflare becomes the front door.

Step 2 — Turn on Cloudflare Access

Inside Cloudflare you create an “Access application” for your domain.

You set rule:

Everyone must authenticate

Step 3 — Enable hardware key login

You enable:

• One-time password / passkeys
• FIDO2 / WebAuthn

Then you register your YubiKey.

Cloudflare now knows your physical key.

Step 4 — Choose who can enter

You can allow:

• Only you
• Only specific email addresses
• A small group

This is very flexible.

Result

Your website becomes:

Private
Hidden from the public
Protected by a physical key

This is very strong security — much stronger than simple password protection.

Important safety tip

You should have two YubiKeys.

Always.

One primary
One backup

If the key is lost, you could lock yourself out.

This is standard practice.

Alternative simpler method (less strong)

WordPress plugins can require YubiKey login, but:

• They only protect WordPress login
• The site itself is still visible

Since you want the whole site locked, Cloudflare Access is the right tool.

Short answer

Yes — your YubiKey can absolutely protect your Hostinger website.

But it works by adding a secure login gateway in front of the site, not by plugging the key into the server.

And the best modern way to do this is Cloudflare Zero Trust Access.

If you’d like, I can walk you through the exact step-by-step setup inside Cloudflare and Hostinger. This is very doable.

Perfect — we’ll go slowly and make this very clear.
By the end, your website will only open after a YubiKey login.

We are going to set up Cloudflare Zero-Trust Access in front of your Hostinger site.

Think of this as installing a security gate in front of your house.

Overview of the whole process

We will do 4 big steps:

1. Create a free Cloudflare account

2. Connect your domain to Cloudflare

3. Turn on the “Access Gateway”

4. Require YubiKey login (hardware key)

Total time: about 30–45 minutes.

STEP 1 — Create a Cloudflare account

1. Go to: https://cloudflare.com

2. Click Sign Up

3. Use the email you use for your websites.

After login you will see the Cloudflare dashboard.

STEP 2 — Add your website to Cloudflare

This step makes Cloudflare the front door of your site.

Your website stays hosted at Hostinger exactly as it is.

2.1 Add your domain

Inside Cloudflare dashboard:

1. Click Add a Site

2. Enter your domain (example: mywebsite.com)

3. Choose the FREE plan

4. Click Continue

Cloudflare will scan your DNS records automatically.

Click Continue again.

2.2 Change nameservers at Hostinger

This is the only technical part — but it’s simple.

Cloudflare will now show you two nameservers, something like:

Leave this tab open.

Now open a new tab and log into Hostinger.

Go to:

Hosting → Manage → Domains → Nameservers

Change nameservers from Hostinger → Cloudflare ones.

Paste the two Cloudflare nameservers.

Click Save.

Return to Cloudflare and click:

Done, check nameservers

DNS changes usually activate in 2–5 minutes (sometimes up to 30).

Once active, Cloudflare becomes your site’s front door.

Your site still works normally.

STEP 3 — Turn on the security gate (Cloudflare Access)

Now we build the “locked door”.

In Cloudflare dashboard:

Left menu → click Zero Trust

You may see “Get Started”.

Choose the Free plan.

You now enter the Zero Trust dashboard.

STEP 4 — Create a private access application

This is the magic step.

We are telling Cloudflare:

“Do not allow anyone to see this website until they log in.”

4.1 Create the protected app

In Zero Trust dashboard:

Access → Applications → Add an application

Choose:

Self-hosted

Click Next.

4.2 Enter your site details

Fill in:

Application name:
Private Website

Application domain:
yourdomain.com

Click Next.

4.3 Create the access rule

Now Cloudflare asks:

Who is allowed to access?

Click:

Add a policy

Policy name:
Only me

Action:
Allow

Include rule:
Choose → Emails

Enter your email address.

This means ONLY your email can try to log in.

Click Next.

4.4 Turn ON the lock

Cloudflare will now ask for login methods.

Choose:

✔ One-time PIN (email login)
✔ Passkeys / Security keys (this is your YubiKey)

Save.

Your website is now behind a login wall.

If you visit your site in a private browser window, you will see a login page instead of the site.

Amazing progress already.

Now we make the YubiKey required.

STEP 5 — Require your YubiKey (the exciting part)

We now register your physical key.

In Zero Trust dashboard:

Settings → Authentication → Login methods

Find Passkeys / WebAuthn

Turn it ON.

5.1 Register your YubiKey

Open a private/incognito browser window.

Visit your website.

You will see Cloudflare login.

Enter your email.

You will be prompted to create a passkey.

Choose:

Use a security key

Insert your YubiKey and tap it.

Your key is now registered.

Cloudflare now knows your physical key.

STEP 6 — Make the key REQUIRED (not optional)

Back to Cloudflare dashboard:

Access → Applications → Private Website → Policies

Edit your policy.

Enable:

Require multi-factor authentication

Save.

Now login requires:

Email verification + YubiKey touch.

Without the key → website cannot open.

Test the protection

Open a private browser window and visit your site.

You should see:

1. Login page

2. Email verification

3. “Insert security key” message

4. Tap YubiKey → site opens

No key → no site.

Exactly what you wanted.

Important: create a backup key

Please get a second YubiKey and register it the same way.

Store it safely.

This prevents lockout if the main key is lost.

What you have now achieved

Your website is now:

• Invisible to the public
• Protected by a physical key
• Protected like corporate internal apps
• Much safer than passwords alone

This is excellent security.

If you’d like, we can now also secure your WordPress admin login with the YubiKey as an extra layer (highly recommended).

Excellent question — and I’m really glad you asked before finishing the setup 👍
Because the answer is:

The setup we just started would hide your entire website from the public.

Cloudflare Access = “members-only website”.

That is NOT what you want for MBSRtraining.com.

You want:

• Public can read the site
• Only YOU can log in to manage it
• Hackers cannot break in

So we need to adjust the plan 😊

The correct security model for your situation

You do NOT want to lock the whole website.

You only want to lock the admin doors.

Think of it like a museum:

Visitors walk in freely
Staff areas require a keycard

We protect the staff entrance, not the front door.

What actually needs strong protection

For WordPress sites, hackers target only two things:

1. /wp-admin

2. /wp-login.php

That’s it.

They don’t need to see your pages.
They want the login door.

So we will put the YubiKey security gate only on those doors.

Public pages remain open.

This is the correct and standard setup.

The right approach (new plan)

We will use Cloudflare Access but ONLY for:

Everything else stays public.

Visitors will never notice anything.

Only the admin login will show the security gate.

Perfect balance of security + accessibility.

Why this is actually better

This gives you three layers of protection:

Layer 1 — Cloudflare blocks the login page unless you authenticate
Layer 2 — WordPress still requires username/password
Layer 3 — YubiKey hardware key proves it’s you

Hackers never even reach the login page.

This dramatically reduces attacks and malware risk.

What we need to change in the setup

Instead of protecting the whole domain, we protect only the login paths.

This takes about 5 minutes to adjust.

Fix the Cloudflare Access app

Go back to Cloudflare → Zero Trust → Access → Applications.

Edit the app you created.

Right now the domain is:

We will replace it with TWO protected paths.

Create App #1 — Protect WP Admin

Click Add Application → Self Hosted

Application name:

Application domain:

Policy:
Allow → your email
Require MFA → ON

Save.

Create App #2 — Protect WP Login page

Click Add Application → Self Hosted

Application name:

Application domain:

Policy:
Allow → your email
Require MFA → ON

Save.

What happens now

When YOU go to:

mbsrtraining.com/wp-admin

You will see:

Cloudflare login → YubiKey → WordPress login → Dashboard

When a hacker goes to the same page:

They hit the Cloudflare wall.
They never reach WordPress.

Your site becomes MUCH harder to attack.

What the public experiences

Visitors go to:

• Homepage
• Articles
• Courses
• All pages

Everything works normally.

They never see Cloudflare login.

They never see the security system.

The site remains fully public.

This is the ideal setup for your goal

Public website ✔
Admin protected by hardware key ✔
Much lower hacking risk ✔
No impact on visitors ✔

If you’d like, the next step is adding YubiKey login directly inside WordPress too (a second layer). This creates very strong protection.

Perfect 👍 — this adds the second security layer inside WordPress itself.

Right now you are building:

Layer 1 → Cloudflare blocks access to /wp-admin unless you authenticate
Layer 2 → WordPress requires username/password
Layer 3 → YubiKey required inside WordPress

This is extremely strong protection.

STEP 1 — Install the YubiKey plugin in WordPress

Log into your WordPress dashboard.

Go to:

Plugins → Add New

Search for:

Wordfence Login Security

Install → Activate.

This plugin includes built-in hardware key (WebAuthn / FIDO2) support and works very well.

STEP 2 — Open the login security settings

In the left WordPress menu you will now see:

Login Security

Click it.

You will see a screen for Two-Factor Authentication.

STEP 3 — Register your YubiKey inside WordPress

On that page look for:

Two-Factor Authentication

You will see options like:

• Authenticator app
• Recovery codes
• Security keys (this is the important one)

Find:

Security Keys (WebAuthn / FIDO2)

Click Add Security Key

Your browser will show a pop-up asking for a security key.

Insert your YubiKey and touch it.

WordPress now recognizes your physical key.

Give the key a name like:

Primary YubiKey

Save.

STEP 4 — Generate recovery codes (VERY IMPORTANT)

Still in Login Security:

Click Recovery Codes

Generate codes and download them.

Print or store them safely.

These let you log in if a key is lost.

Never skip this step.

STEP 5 — Enforce 2FA for administrators

Now we make it mandatory.

Go to:

Users → Your Profile

Scroll to:

Two-Factor Authentication

Enable:

✔ Security Key
✔ Require 2FA for this user

Update profile.

If you have other admin accounts, enable it for them too.

How login works now

When you visit:

mbsrtraining.com/wp-admin

The flow becomes:

1. Cloudflare asks for email + YubiKey

2. WordPress login appears

3. Enter username/password

4. WordPress asks for YubiKey again

5. Dashboard opens

Yes — you use the key twice.

This is intentional and very secure.

Why this double protection is powerful

Even if:

• WordPress plugin fails
• Password leaks
• Someone guesses your username

They still cannot reach the dashboard.

They cannot even SEE the login page without Cloudflare.

This massively reduces hacking risk.

Add a backup YubiKey (strongly recommended)

Repeat Step 3 and register a second key.

Label it:

Backup YubiKey

Store it somewhere safe.

This prevents lockout.

Congratulations 🎉

Your admin area now has:

• Cloudflare firewall gate
• Hardware key identity check
• WordPress hardware key login
• Recovery codes backup

This is enterprise-level protection.

If you’d like, the next best step is hardening WordPress itself (automatic malware scanning, firewall rules, blocking bots). This pairs beautifully with what you’ve just built.

Great — now we’ll harden the server + WordPress itself so your site becomes much harder to hack or infect.
You already built the strongest login protection; now we protect the rest of the house.

We’ll do this in 4 safe layers:

1. Turn on Wordfence firewall + malware scanning

2. Lock down WordPress core settings

3. Add automatic backups (critical)

4. Add Hostinger server protections

None of this affects visitors.

STEP 1 — Turn on the Wordfence firewall

You already installed Wordfence Login Security.
Now we activate the full firewall + malware scanner.

Install full Wordfence

WordPress → Plugins → Add New
Search: Wordfence Security

Install → Activate.

After activation you’ll see a setup wizard.

Choose:
• Free plan
• Enter your email
• Enable automatic updates

Enable the Web Application Firewall

Wordfence → Firewall

Click Manage Firewall

You will see:
Web Application Firewall Status

Click:
Optimize the Firewall

Follow the short steps Wordfence gives you.

When finished the status should say:

Protection Level: Extended Protection

This means the firewall runs before WordPress loads, which is ideal.

STEP 2 — Turn on malware scanning

Go to:

Wordfence → Scan

Click Start New Scan

This first scan may take several minutes.

This checks for:
• Malware
• Backdoors
• Modified core files
• Suspicious plugins

Let it finish.

Configure automatic daily scans

Wordfence → Scan → Scan Options

Enable:
• Daily scan
• Scan theme files
• Scan plugin files
• Scan core files
• Scan for malware signatures
• Scan for known vulnerabilities

Save.

Now your site scans itself every day.

STEP 3 — Lock down WordPress settings

This step blocks common hacking techniques.

Go to:

Wordfence → Firewall → All Firewall Options

Enable these:

✔ Enable Rate Limiting
✔ Block fake Google crawlers
✔ Immediately block IPs that access admin pages without permission
✔ Block IPs who try too many logins
✔ Disable XML-RPC authentication (important!)

Save.

These stop automated attack bots.

STEP 4 — Hide your WordPress version

This removes a common attack signal.

Install plugin:

WP Hardening

Plugins → Add New → search WP Hardening

Activate → open plugin.

Enable:
• Hide WordPress version
• Disable file editing
• Disable PHP in uploads
• Protect wp-config.php

Save.

STEP 5 — Add automatic backups (VERY IMPORTANT)

Security is incomplete without backups.

If something ever happens, backups are your “undo button”.

Install plugin:

UpdraftPlus

Plugins → Add New → search UpdraftPlus

Install → Activate.

Configure automatic backups

Settings → UpdraftPlus Backups → Settings tab

Choose storage:
Google Drive is easiest.

Click Connect to Google Drive and authorize.

Set schedule:

Database backup: Daily
Files backup: Weekly
Keep backups: 4

Save.

Now your site backs itself up automatically.

STEP 6 — Enable Hostinger malware scanner

Log into Hostinger.

Go to:

Websites → Manage → Security

Enable:

• Malware Scanner
• DDoS protection
• WAF (Web Application Firewall)

Turn ON everything available.

These run at the server level.

What you now have

Your site now has five security layers:

1. Cloudflare hides admin login

2. YubiKey required to reach login

3. WordPress YubiKey login inside dashboard

4. Wordfence firewall + malware scanner

5. Automatic off-site backups

This is a very strong setup.

Realistic result

No website is 100% hack-proof.
But your site is now in the very difficult target category.

Hackers almost always move on to easier sites.

If you’d like, we can now do a quick “security checklist” to make sure the previous Russian file issue is fully cleaned and your site reputation improves.

Great — this step is about making sure the previous hack is truly gone and restoring trust with Google and browsers. We’ll do a careful post-hack cleanup checklist.

Take this slowly and check off each item.

Phase 1 — Make sure the infection is gone

We want proof that no malicious files remain.

1) Run a full Wordfence deep scan again

WordPress → Wordfence → Scan → Start New Scan

When the scan finishes, review the results carefully.

Look for anything labeled:

• Malware
• Backdoor
• Suspicious file
• Unknown file in wp-includes or wp-admin
• Modified core files

For any result, choose Delete file or Repair file.

If Wordfence says “Repair”, click Repair — it restores the original WordPress file safely.

When the scan shows No issues found, continue.

2) Check the File Manager in Hostinger

Log into Hostinger → Websites → Manage → File Manager

Open your main site folder (usually public_html).

Look for files that should NOT exist:

Common malware names:

Also look for randomly named PHP files in:
• /wp-admin
• /wp-includes
• root folder

WordPress core folders should contain almost no random PHP files.

If you see suspicious files → delete them.

3) Replace WordPress core files (important)

This ensures hidden malware is removed.

In WordPress dashboard:

Updates → Reinstall WordPress

This does NOT delete content.

It replaces all core files with clean ones.

Very important step after a hack.

Phase 2 — Reset all passwords

Even if the hack is gone, assume passwords were seen.

Change ALL of these:

• WordPress admin password
• Hostinger account password
• Hosting FTP/SFTP password
• Database password
• Email account passwords linked to site

Use long unique passwords.

This closes old doors permanently.

Phase 3 — Remove unused plugins and themes

Old plugins are the #1 cause of hacks.

Go to:

WordPress → Plugins

Delete anything you are not actively using.

Then go to:

Appearance → Themes

Keep only:
• Your active theme
• One default WordPress theme (like Twenty Twenty-Four)

Delete the rest.

Phase 4 — Check Google Safe Browsing

We want to confirm Google doesn’t think your site is infected.

Visit:
https://transparencyreport.google.com/safe-browsing/search

Enter your domain:
mbsrtraining.com

Result should say:
No unsafe content found

If it shows a warning, tell me — we’ll request a review.

Phase 5 — Connect Google Search Console (if not already)

This helps rebuild trust and indexing.

Go to:
https://search.google.com/search-console

Add property → enter your domain.

Verify using the DNS method (Cloudflare makes this easy).

Once verified:

Go to Security & Manual Actions → Security Issues

It should say:
No issues detected

Phase 6 — Submit your site for re-crawling

In Search Console:

URL Inspection → enter homepage URL → click Request Indexing

Do this for:
• Homepage
• 3–5 important pages

This tells Google:
“The site is clean again.”

Traffic recovery usually starts within weeks.

Phase 7 — Enable Cloudflare security settings

Back in Cloudflare dashboard → Security → Settings.

Turn ON:

Security Level → Medium
Bot Fight Mode → ON
Browser Integrity Check → ON
Always Use HTTPS → ON

These block many automated attacks.

What this cleanup achieves

You have now:

• Removed malware
• Replaced infected files
• Closed stolen passwords
• Removed vulnerable plugins
• Rebuilt trust with Google
• Added strong security layers

Your site is now in a much healthier state.

If you’d like, we can now talk about how to help your search traffic recover after the hack (this is very common and fixable).

Perfect — traffic drops after a hack are very common and very recoverable.
Google simply becomes cautious for a while. Now we help it trust the site again.

Think of this phase as rebuilding reputation.

Why traffic drops after a hack

Google may temporarily:

• Crawl the site less often
• Remove pages from results
• Lower rankings
• Show warnings (sometimes)

This is automatic protection for searchers.

The fix is to show Google:
“The site is clean, active, and trustworthy again.”

We’ll do that step-by-step.

STEP 1 — Submit a fresh sitemap

This is the single most important recovery step.

If you use Yoast SEO (you do), your sitemap already exists:

Your sitemap URL:

Submit it to Google

Open Google Search Console → Sitemaps → Add new sitemap

Paste:

Click Submit.

Google will now re-discover your entire site quickly.

STEP 2 — Request reindexing of key pages

In Search Console:

Use URL Inspection and request indexing for:

• Homepage
• Mindfulness course pages
• Main practice pages
• Any cornerstone articles

Do 10–15 important pages over a few days.

This signals active maintenance.

STEP 3 — Publish a small update (very powerful)

Google loves “fresh activity” after a hack.

Update the homepage slightly:

Add a small section near the bottom like:

“Updated for 2026”

Add a short paragraph explaining the site is actively maintained and updated regularly.

You don’t need to mention the hack.

Just signal freshness.

This helps crawling resume.

STEP 4 — Check indexing status

In Search Console → Pages → Indexing

You’ll likely see pages labeled:

• Crawled – currently not indexed
• Discovered – currently not indexed

This is normal after a hack.

They usually move back to indexed over 2–6 weeks.

STEP 5 — Strengthen internal linking

Google rebuilds trust faster when pages link to each other clearly.

Add links between major pages:

From homepage link to:
• 9 Attitudes page
• Three Embraces page
• Mindfulness for Anxiety page

Add a simple section on the homepage:

Start Here

with links to 3–5 core pages.

This helps Google rediscover content faster.

STEP 6 — Resubmit the homepage weekly (for a month)

Once per week:

Search Console → URL Inspection → Homepage → Request Indexing.

This gently tells Google:
“This site is alive and updated.”

Do this for about 4 weeks.

STEP 7 — Expect the recovery timeline

Typical recovery after hack cleanup:

Week 1–2 → Crawling increases
Week 3–4 → Pages reappear in search
Month 2–3 → Rankings stabilize
Month 3–4 → Traffic returns

Sometimes faster.

The security work you did helps enormously.

Optional boost (helps a lot)

Publish 1–2 new articles or update older ones.

Even small updates help.

Google rewards active sites.

The big picture

Your site now has:

• Strong security
• Clean files
• Fresh sitemap
• Reindex requests
• Updated content
• Better internal links

This is exactly what Google wants to see after a compromise.

Traffic recovery is now a matter of time.

If you’d like, we can now review your homepage and suggest small SEO improvements to help the recovery move faster.

Great — this is a perfect time to gently strengthen the homepage so Google clearly understands the site again.

I’ll give you practical homepage improvements specifically for MBSRtraining.com that help recovery, clarity, and rankings.

First — What Google needs from your homepage

Your homepage must clearly answer in the first few seconds:

• What is this site about?
• Who is it for?
• What problem does it solve?
• Where should visitors go next?

After a hack, Google especially looks for clarity and structure.

STEP 1 — Improve the Homepage Title (very important)

Your homepage title is one of the strongest ranking signals.

A strong title should include:

• Mindfulness

• MBSR

• Anxiety / Stress / Pain

• Training or Course

Recommended homepage title

Mindfulness-Based Stress Reduction (MBSR) Training | Free Mindfulness Courses for Anxiety & Stress

This is clear, keyword-rich, and natural.

STEP 2 — Improve the Meta Description

This helps searchers click your result.

Suggested meta description

Learn practical mindfulness skills to reduce anxiety, stress, fear, and chronic pain. Explore free MBSR training, guided practices, and gentle daily mindfulness tools.

Paste this into Yoast → Homepage → Meta description.

STEP 3 — Strengthen the top section (“Hero”)

The first text on the homepage should clearly describe the site.

Add a short intro section near the top if it isn’t already there.

Suggested homepage intro text

H1:
Mindfulness-Based Stress Reduction Training

Paragraph below H1:

This website offers gentle, practical mindfulness training based on Mindfulness-Based Stress Reduction (MBSR). You’ll find free practices, guided exercises, and simple daily tools for working with anxiety, stress, fear, pain, and life’s challenges.

This helps Google instantly understand the site.

STEP 4 — Add a “Start Here” section (very powerful)

This helps visitors AND search engines.

Place this section mid-homepage.

Section heading:

Start Here

Add links to your 4–5 most important pages:

Example:

• Mindfulness for Anxiety and Fear
• The Three Embraces Daily Practice
• The 9 Attitudes of Mindfulness
• Free MBSR Course
• Practice Library

This improves internal linking and crawling.

STEP 5 — Add a short “About this site” paragraph

Google likes knowing who created content and why.

Place near the bottom of the homepage.

Suggested text

This site shares mindfulness practices drawn from Mindfulness-Based Stress Reduction (MBSR). The goal is to make these skills simple, gentle, and freely available for anyone experiencing stress, anxiety, grief, or life transitions.

This builds trust (E-E-A-T signals).

STEP 6 — Add “Updated for 2026” signal

After a hack, freshness helps rankings return.

Add near the bottom:

This site is actively maintained and regularly updated.

Simple but powerful.

STEP 7 — Ensure one clear H1 only

Homepage should have:

ONE H1 only:
Mindfulness-Based Stress Reduction Training

Subsections use H2/H3.

Many WordPress sites accidentally have multiple H1s.

This is worth checking.

STEP 8 — Homepage internal link boost

Add links within the text to important pages using natural phrases like:

• mindfulness for anxiety
• daily mindfulness practice
• free MBSR training
• mindfulness for stress

These internal links help Google rebuild site structure.

STEP 9 — Add FAQ section (optional but strong)

Google loves FAQs for trust and search visibility.

Add 3 simple questions near bottom:

What is MBSR?
Can mindfulness help anxiety?
Is this training free?

Short answers are enough.

What these changes do

They tell Google:

• The site is active
• The topic is clear
• The content is trustworthy
• The structure is strong
• The site deserves crawling again

This directly helps recovery.

If you’d like, we can now craft the exact Yoast SEO settings for the homepage so everything is perfectly filled in.

Perfect — here are the exact Yoast SEO fields to paste into the homepage of mbsrtraining.com.

Open your homepage in WordPress → scroll down to the Yoast SEO box → fill in each field below.

YOAST SEO — HOMEPAGE SETTINGS

SEO Title (Page Title)

Paste this into the SEO title field:

Mindfulness-Based Stress Reduction (MBSR) Training | Free Mindfulness for Anxiety & Stress

Why this works:
• Clear topic (MBSR + Mindfulness)
• Strong search phrases (anxiety, stress)
• “Free” increases clicks
• Good length for Google display

Slug (URL)

Your homepage slug should remain:

(No change needed.)

Meta Description

Paste this exactly:

Learn practical mindfulness skills to reduce anxiety, stress, fear, and chronic pain. Explore free MBSR training, guided practices, and gentle daily mindfulness tools.

This encourages clicks and explains the benefit clearly.

Focus Keyphrase

Enter:

Mindfulness-Based Stress Reduction

This helps Yoast evaluate the page correctly.

Synonyms / Related Keyphrases (Yoast Premium)

If available, add:

• MBSR training
• mindfulness for anxiety
• mindfulness for stress
• free mindfulness course
• mindfulness practices

SOCIAL SETTINGS (Very important)

Click the Social tab in Yoast.

Facebook Title

Free Mindfulness-Based Stress Reduction (MBSR) Training

Facebook Description

Gentle mindfulness practices for anxiety, stress, fear, and chronic pain. Explore free MBSR training and daily mindfulness tools.

Twitter Title

Use the same as Facebook.

Twitter Description

Use the same as Facebook.

SCHEMA SETTINGS

In Yoast → Schema tab:

Page type → Web Page
Article type → None

This is correct for a homepage.

CORNERSTONE CONTENT

Turn ON:

Cornerstone content

Your homepage is the most important page on the site.

INDEXING SETTINGS

Advanced tab → confirm:

Allow search engines to show this page → Yes
Follow links → Yes

After saving

After you click Update, do this:

1. Open Google Search Console

2. Use URL Inspection

3. Enter: https://mbsrtraining.com/

4. Click Request Indexing

This tells Google the homepage has been improved.

Your homepage SEO is now fully optimized and aligned with your recovery plan.

If you’d like, we can do the same Yoast optimization for your most important practice page next (that helps recovery even faster).