There are many precautions you can (and should) follow.
Select good hosting/server.
- Set strong passwords for your hosting and FTP accounts.
- Don’t use servers that allow remote connections to the DB.
- If you want to host multiple sites on one server, make sure they’re separated (so one site can’t access files from other sites – otherwise all your sites will get infected if any one of them is vulnerable).
Install WP in a smart way
- Don’t use autoinstalators (hosting companies very often modify WordPress, so it’s nicer for them, but it isn’t a good idea).
- Select strong password for admin and use some real login for this user (don’t use admin or administrator)
- Don’t use default db prefix.
Harden your site
- Set proper access rights for your files and directories.
- Block access to files that should not be accessed (no PHP files from
wp-contentshould be accessible)
- If only few users should be able to login to wp-admin, then allow access to wp-admin only for some IP addresses or add BasicAuth.
Maintain your site
- Be careful when installing new plugins. Download plugins/themes only from original sources.
- Use only secure plugins/themes (be very careful with plugins/themes from CodeCanyon/ThemeForest – they very often are poorly written)
- Update WP, themes and plugins.
Bonus. Don’t use…
Don’t use “security” plugins. They don’t do much, because they can’t. They’re only plugins, so if a site has vulnerability, then it still will exist. Plugin can only harden and check your site, but… Hardening automatically is always worse that hardening manually. And monitoring your site with a plugin doesn’t make any sense – if your site gets infected, then malware can easily modify behavior of site and any plugin (I’ve shown many times on WordCamp in Poland how easy it is to make Wordfence to show anything you want as its monitoring status). And all that “checking” and logging makes your site much slower. And even worse – if you’ll check WPVulnDB, then you’ll see, that many of “security plugins” had a lot of vulnerabilities in their code…
Also don’t change the default login address. WordPress uses your theme and all your plugins to generate 404 error pages. It means that such page isn’t very quick (it’s few times slower than login form). So if you change the default login form address and any brute-force attack will occur, then it automatically will be DDoS attack thanks to your changes. On the other hand – if you choose hosting wisely, then you don’t have to worry about brute-force attacks, because it will get blocked by firewalls.