I used to run a Website Design business.
I have dealt with many hacked WordPress sites over the years and even though I am focussed more on the programming side these days – here is what I learned about keeping WordPress sites secure.
1. Keep the number of plugins to a minimum.
Most sites are hacked through their plugins. If you are not using a plugin, remove it.
If you are not sure, deactivate the plugin and check if it affects your site before removing it.
2. Enable Plugin auto updates
I have seen sites that have not had plugins updated since the site launched 2 years ago.
You can only imagine the security holes there!
Go to the plugins page and enable auto updates for all your plugins. If you have a reason to not want to auto update your plugins then login to your site weekly to check manually for plugin updates.
3. Install Wordfence
Wordfence is a free plugin that allows you to scan you sites files for malware. Run a scan monthly. You can also have this plugin set up your firewalls and a few other security hardening features.
4. Run behind Cloudflare
This one is a bit more technical, but if you are using Cloudflare for your DNS, you get a bunch of protection from bot attacks for free.
The paid plans are awesome if you need a hugely performant website. I have a paid plan on HorseRecords.info and could not be happier with the benefits in speed and protection Cloudflare provides.
Cloudflare also has a flag in there to be optimised for WordPress sites. This is found under Speed > Optimisation menu. It requires installing their plugin and having a paid plan.
5. Have a full site backup
If the worse happens and your site gets hacked, the easiest way to fix is to restore from backup. Make sure your site is being backed up regularly.
I hope this helps you get your WordPress site secure.
If you only get one thing from this – please, please keep your plugins to a minimum and keep them updated.