It is important to make your recently installed (or old) WordPress installation secure. The basics are not very complicated, but they are very important.
These are things you should really really do.
Make sure you have the most recent version of WordPress
Enable automatic backups (for example to Dropbox)
Enable automatic updates for WordPress (for example in installatron in your cPanel)
Enable automatic updates for Plugins (for example in installatron in your cPanel)
Use strong passwords only
Enable CloudFlare in your cPanel
Do not use paid themes you downloaded from free websites, they are often compromised
Make sure there is no account called ‘admin’ in your installation
Must have plugins
These are easy to install plugins that raise your security.
Use 2nd factor authentication through the automatic installation process or install this plugin
Use a brute force protection plugin like Bruteprotect
Make sure the permissions on your files are correct with this plugin
In your web root (folder with the WordPress files in your ftp or file manager) there is a file called .htaccess. Add these things before the ‘#BEGIN WordPress’ line.
Protect wp-includes by adding the following:
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
Protect your wp-config.php by adding
deny from all
Protect /wp-content/ by adding a .htaccess inside the /wp-content/ folder containing
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
These are good to implement, but a bit more difficult. The above actions will already greatly protect your WordPress.
Do not use the default wp_ database prefix
Do not develop over an insecure channel like plain ftp (use SSL/TLS)
Make sure your database user has as little permissions as possible
When you are done developing, add the following to your wp-config.php to block php file editing through the dashboard
Use an SSL certificate