• Use secure hosting
    • Update all the things
    • Strengthen up those passwords
    • Never use “admin” as your username
    • Hide your username from the author archive URL
    • Limit Login Attempts
    • Disable file editing via the dashboard
    • Try to avoid free themes
    • Keep a backup
    • Use security plugins
    • Rename the db from wp_ to something random
    • Different DB users for different sites
    • Never use Admin as a user name

    How to secure your wordpress websites from hackers
    Disable File Editing

    The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

    define(‘DISALLOW_FILE_EDIT’, true);

    This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.

    Securing wp-config.php

    You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

    If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

    order allow,deny

    deny from all