Dont look surprised when your wordpress site is hacked, is wordpress security so weak?
No, not really, its just popular and as such there are more vectors to attack its security, still as a heavy wordpress user i can give you some good tips to keep your site secure, ill divide this into setup the site and securing the site, once you should only need to do once, the other its best to be ongoing, im also assuming that you have your server setup correctly and secured as well as your wordpress is up to date and your computer is secure as well, if those are good, then what i say bellow will keep you 99% safe!
Secure on Setup
On wp-config.php when you install on $table_prefix = ‘whateveryouwant’ put a random string! – This will prevent mysql injections that might target the default wp_ table prefix (if already installed use something like phpadmin to go into the database and change the prefix there and then add it to the wp-config.php file)
On wp-config.php under define(‘WP_DEBUG’, false); put define(‘DISALLOW_FILE_EDIT’, true); – This prevents editing of php files under wordpress, most people dont edit them anyways (i just login with sftp and edit directly), so people trying to exploit will have more difficulty doing so
Use a strong password – I know its silly to say but a strong unique password with lots of letters, numbers and characters is always a good thing.
On First Login
Login with your default admin account, create a new account with admin privileges and then delete the old admin account – This prevents login requests or brute-force that would go directly to account number 1 or admin account
Disable user registration, go the options panel and disable user registration – If you dont intent for other users to post, there is no point in allowing registration.
Install only the Plugins you Need – Even if disabled, only have plugins and themes that you need, they could be used
Security Plugins to Install
BruteProtect or Login LockDown – To Prevent login attempts and brute force attacks (or in alternative find a Two-Step Authentication plugin).
Install a Clean Theme – Make sure you get a nice free theme from WordPress.org or a paid from a good provider and keep it up to date, the more complex the theme the more likely it will have code that might become insecure, so get a good one and keep it updated.
Advance Automatic Updates – Will keep your wordpress install and plugins up to date!
Akismet – It comes with WordPress for a reason, before it, wordpress comments were horrible and plagued with tons of spam.
Extra!
Please pleassseeee make backups, dont trust your webhost, make your own, thats the only true way of being 100% secure, use a plugin for it, i like BackUpWordpress and Keep Backup Daily, but any you like will do!
Use Cloudflare or Incapsula – These give pleanty of extra features, like cdn but they also filter and protect your traffic from a lot of nasty stuff on the web.
Wordfence or Better Wp Security – If you want more heavy security, its totally optional and in my opinion if you are well locked down they dont add anything!
Use htaccess to lock in wp-admin if you are the only user, search for this on Google pleanty of sites explaining.
Use WordPress Jetpack plugin it protect you from some security flaws and it will help on automatic plugin installs, plus a ton of other things
Use Mx Toolbox or Sucuri Site Check to check if your site has been exploited!
The best rule of all is to be prepared for the worst, have backups and check from time to time to see if your site is up to date and everything is running fine, most of these are automated but its best to always keep an eye and if everything breaks just clean everything and put back a backup 🙂