Look at this answer I wrote for a more extensive explanation:
For a summary:
- Add a login limiting plugin
- Move wp-config.php out of the public html folder ( WordPress will look one folder up from its root directory if it isn’t there
- Use the correct file and folder permissions
- Do not use the admin username
- Make sure the first user in the database with ID 1, is not the admin
- Hide what version of WordPress you’re using ( by removing the generator tags in the header, use google for the code snippet, its a copy paste operation )
- Use nonce’s and check capabilities when building custom code
- Use the wordpress filesystem APIs instead of writing your own upload code
- Develop locally using LAMP/WAMP/XAMPP and do regular backups. If your site is compromised its just a matter of re-uploading what you have on your compute
- Never, use
eval, it’s a huge security risk - Always use the latest version of WordPress
- Always use the WP AJAX apis instead of using a custom PHP file and including blog headers php file
- Avoid shared server environments ( there’s a very real risk that someone else on the server isn’t doing any of the above and gets hacked, and it cross infects your own secure install )
- Don’t use the
wp_db table prefix - Add a htaccess file to the wp-admin folder to password secure it to your IP
- escape and validate all inputs no matter how trivial