Step 1: Use strong passwords! And keep them unique for each account.
I use Lastpass to create and store unique and complicated passwords for all accounts. I attended a security webinar where the instructor showed us how you can hack any WordPress site that uses a word number combination in less than 5 minutes. There are scripts that can run thousands of word number combinations per second. Hackers use these scripts to “guess’ your password. They even know the common tricks like replacing some letters with characters, so sorry, but [email protected] is not a secure password. It will be sniffed in less than 5 minutes if someone really wants into your site and your don’t have secondary security in place.
This is not just for your WordPress login… your host and domain registrar passwords must also be unique and secure.
Step 2: Regularly perform updates.
See my page on why your WordPress site needs maintenance: https://carleighrochon.com/wordpress-maintenance
Step 3: Access your site and host securely
This is a little basic, but your machine needs to be safe and also your connection. I don’t ever suggest logging into your wp-admin or your host from an insecure connection like over coffee shop WiFi or the like.
Step 4: Use HTTPS
I bet you’ve already heard this one. The lastet word is that Google is setting Oct 2017 as the must have HTTPS date or they will flag your site as insecure in Chrome. Ouch, don’t let that happen to you. Especially with Let’s Encrypt giving free SSL certificates.
Where to start?
See if your host offers free Let’s Encrypt certificates. (my two favorite hosts do) If not, they likely will sell you one, or you can always change hosts.
This post has a great checklist for making the switch: http://searchengineland.com
Step 5: Use quality, professional, supported Themes and Plugins.
People love WordPress for it’s infinite scale-ability and add-ons via the theme and plugin libraries. You can spend days finding super cool plugins that claim to do all sorts of things for your site. But should you? I use professional themes, like StudioPress Themes for WordPress , with full-time support and trusted reputation. I license most interactive plugins because I know that they are being supported and updated. It happens that the free plugins stop getting supported and eventually gt hacked and the hack spreads to all the sites that have that plugin. Sad, scary truth. So check that any theme or plugin you plan to use has a solid reputation and is being updated and supported by a trusted developer.