Limit Login Attempts
Installing the WordPress plugin Limit Login Attempts is a great first step. The hosting company wpengine.com installs this in every site.
When you’re setting up your site, try to make your username hard to guess. It isn’t shown your site, so you can make it anything.
If you use public wifi without seeing the “lock” icon in your browser, your password might be seen by a hacker nearby.
But you can make this slightly safer by…
Reducing Your Privileges
If your password gets stolen, the damage will be limited if you’re not an “administrator.”
If you see the “Plugins” section in your admin screen, you are an administrator.
If you’re an administrator now, you might set up a second user as an editor. Do this by clicking the “Users” link in the image on the left.
You can publish with the same name.
User input can be dangerous.
For example, if you have an email subscription form, the user will enter something and it might get stored in your database. Your plugin needs to block malicious code.
Stay with the established plugins for anything using forms. I use Gravity Forms.
If a plugin only changes your site’s display, it probably won’t be a danger. For example, my plugin Bootstrap Widget Styling only re-formats widgets.
Watch for updates. You’ll see a red circle in the left of your admin screen.
Click “Updates,” and click “version details” for each plugin. If you see the words “bug fix” or “security,” update it.
Some people think they’re not a big target, and that hackers wouldn’t waste their time on them.
But hackers don’t usually attack sites. They set up many computers to do it.
If they take over your site, they can use it to send malicious files to your users.
But with these simple website security steps, you will be more protected.