WordPress has come a long way since it was launched on May 27, 2003. It started out as a purely blogging software but has grown into a Swiss army knife for building websites, thanks primarily to the vast availability of plugins. However, being open-source it is probably the most hacked or attempted-to-be-hacked software out there. This article does not attempt to be a complete guide to WordPress security but only a starter.
Install WordPress on a directory that is other than the root directory on the server and is not ‘wordpress’. You can have WordPress on a sub directory and the main site on the root directory. To do this, copy the index.php file to root and add the directory name to the require line: require( dirname( __FILE__ ) . ‘/[directory name]/wp-blog-header.php’ );
Make sure to change the database tables prefix to something other than ‘wp_’. You do this in the wp-config.php file. Edit this line: $table_prefix = ‘[insert prefix]_’;
Create passwords that are 100% secure. Hosting control panels have indicators of percentage of security of a given password. WordPress installer shows whether a password is weak, medium, or strong. Make sure all password are 100% or strong.
Delete the default page and ‘hello world’ post, also delete the default plugins. Instead, install a firewall plugin such as Wordfence and a captcha plugin (Google reCaptcha is recommended).
Install only premium plugins that have many installations (sign they are safe), and that were updated recently, not a year or more ago (another sign they are safe). The more frequently a plugin is updated, the more likely that vulnerabilities are being closed when WordPress security updates come out.
The same goes for themes. Only use premium themes such as those available from StudioPress or another similar site.
These steps do not take a lot of time but will go a long way to protect your WordPress site right from the installation.