MUST HAVE PLUGINS:
As a matter of necessity the above plugins must be installed and run/used at least once a week to check your wp-content for harmful code.
1. Always update your wordpress/themes/plugins to the latest versions.
2. Change all PHP file permissions to 600
3. Rename the admin user: On a new install you can simply create a new Administrative account and delete the default admin account by adding a new user with Administrator role, make sure you use a strong password.
4. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this to somethingn like myownsite_ can block at least some SQL injection attacks.
5. Keep wp-admin Directory Protected: Keeping “wp-admin” folder protected adds an extra layer of protection. Whoever attempts to access wp-content or directory after “wp-admin” will be prompt to login. You can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface.
6. Hide WordPress Version in the Header Tag: Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
7.Nobody should be allowed to search your entire server: If you allow then the hacker will find the way to hack easily. The best way to block them is in your robots.txt file. Add the following line to your list:
8. Protect your wp-config.php file: You can secure your wp-config.php by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.