Protecting your WordPress site is a highly worthwhile investment that will prevent hackers or unauthorized persons from altering, deleting, or gaining unexpected entry to it. The steps noted below may seem rudimentary, but you'd be surprised how many
people don't take any of them into account in the course of presenting their company's site to the public.
1. Don't Use "Admin" or "Administrator" as a Login Name
This is the most basic step, because by default, a WordPress account will always have an "admin" account that allows full access to the entire site and its content. Hackers count on users not deleting this account, and so it is the first thing they will try in the process of attempting to gain access to your site. To prevent this, choose the "Add User" option in the WP dashboard and add a new account, with a unique name and password, that only you know (don't forget to give yourself "Administrator" privileges). Then, delete the original "admin" account. You can create as many new accounts as you like, for as many users, but in general, the fewer accounts that exist, the more secure your site will be. Also, after you create any new accounts, change your nickname(s) for all your posts, so your new user name, or names, aren't given away with each of them.
2. Use a Highly Secure Password
You probably have heard this advice before, but it applies here equally. Don't choose a common password such as "password," "123456," or "football." Choose a much more secure password, that mixes upper-case letters, lower-case letters, numerals, and even symbols (!$#%&*), that will be very difficult to guess or decipher.
WordPress will even let you install an extra plug-in, such as BruteProtect, to prevent more than a certain number of login attempts. It will keep track of IP addresses of all login locations, and can automatically block logins from specific locations if the number of attempts is too high—which can happen with "bot" attacks.
3. Keep WP and Its Plug-ins Up-to-Date
You have probably seen warnings to update your software or any number of plug-ins when you log in to WP. Do so, and keep them up-to-date. By taking this step, you can ensure that new vulnerabilities, which have been discovered with older versions of the software or with any plug-ins you are using, can't be exploited on your site.
Some plug-ins are not updated regularly, or at all, so always be aware how current the versions are that you're using, and keep on top of plug-in developers to see if they are still actively supporting their plug-ins. If not, question yourself whether you really need to use them, or if there's a way you can substitute a more current alternative. Fewer plug-ins are better than many.
4. Backup Your Site
Always keep a secure backup of your site and its content, preferably in a different location (or in the cloud) than the original data. WordPress itself allows you to create a backup, using a free or paid option to do so. But you should also perform your own personal backups. There are plug-ins that will export your data to services like DropBox, and there is a great backup tutorial located in the WP Codex. It's a good idea to do backups before upgrading, as well (see the previous step, above).
5. Install Security Plug-ins
Beyond the plug-ins mentioned in the above steps, there are many that focus specifically on security. Extensions, such as WordFence, Sucuri, All-in-One WP Security, and iThemes Security, can track all the changes on your site (including those made to plug-ins), scan your WP files for irregularities, hide login pages, and remove crucial information that hackers look for when they try to gain access. It's worth it to do some research to see which plug-ins provide the security you desire, and which are the most cost-effective. Look for reviews online of the ones you think will be most beneficial.
You're not the only one concerned with protecting a WP site, and there are many companies now providing valuable solutions to give you the requisite peace of mind regarding this issue.