1. Choose strong passwords and reset them regularly
The most common security flaw is human error. Complacency gives attackers more opportunity than anything else. Never use a password that you have used for something else. Alway make sure your passwords are ten or more characters and that they include numbers and symbols. Never never never use ‘admin’ as a your username.
Consider using a password manager. There are plenty available. They store your passwords securely and allow you to generate unique secure passwords for each instance without needing to remember a single password.
You should also insist that everyone in your team, yourself included, change their passwords on a regular basis.
2. Move your login page away from /wp-admin
With the use of a plugin like https://wordpress.org/plugins/wps-hide-login/ you can move your login to any page you like. This reduces the likelihood of a bruit force attack.
3. Review and manage your user accounts
It is always a good idea to review what users have access to your website. Don’t let just anyone be an admin on your site, that role should be reserved for you the owner and maybe one or two others who you can trust to administer to your website. Giving someone admin access is like giving someone the keys to your house and car. Be selective, and if someone with this level of access leaves or is no longer working on your website, delete their user role immediately. Don’t worry about loosing content that they may have contributed, you will be given the option to re-attribute that content to another user as part of the removal process. Do not keep an account active and simply pass the login details on to a new team member. Create a new user account for each new person and close down any old ones. All roles such as editor, author and contributor should be checked and treated the same. Having as few users as possible means less points of weakness for attackers to try to exploit. It also means that there are fewer humans involved and human error is often the weakness easiest to exploit.
4. Keep plugins and themes up to date
Regularly check and keep your plugins and themes up to date. Back your website up before you do so. Keeping up to date not only helps with your security but also your website’s stability and compatibility. This is because these incremental updates include more than just security patches. They also include bug fixes which could save your website from functioning incorrectly or breaking altogether. It is precisely these unaddressed bugs that attackers look for and use to gain access to your website. When your website is up to date you can be confident that it is better protected against the latest threats and will have the best chance to run smoothly with the latest web technologies.
On the topic of themes and plugins, make sure to delete any that are not being used. Even the ones not in use might provide means for attackers to gain access. A clean house and suspicious mind are great ways to keep your WordPress website safe.
5. Install only trustworthy plugins and themes
When choosing themes and plugins, always look for examples from trusted developers. You can also see how many times a plugin has been downloaded and check what feedback and reviews it has received. Look at when it was last updated and check that it is compatible with the version of WordPress your site is running on. Also take a look at the support offered and the associated documentation. There are often alternatives for plugins and themes, do a bit of research and don’t simply use the first ones you find.
6. Insist on using quality WordPress specific hosting
WordPress specific hosting often means that the host takes more responsibility for securing your website than a more generic host might. A quality host will even ask that you do not install security plugins as they may conflict with the security measures that they have in place on your behalf. They will also offer automated nightly backups and will do what they can to remove any malware should your site be compromised. Server borne security will always be superior to that provided by a plugin. If your web host does not provide security, make sure to install a quality plugin that is fit for purpose.