2) Disable Error Reporting for Core System :

Whenever there is an error on the site, WordPress displays a message in front-end. This message may contain the path to the problematic file. Hackers can find & use this information to understand the function of your server and attack your site. It’s a good practice to disable it by adding or updating below line in wp-config.php file

define( 'WP_DEBUG', false);

For WordPress Security, Permission of files & directory plays an important role. So, it’s always recommended using 755 permission for directory and 644 for files to protect your website.

You can use below command to change all recursive directory permission by terminal:

find . -type d -exec chmod 755 {} \;  # Change directory permissions rwxr-xr-x

You can use below command to change all files permission by terminal:

find . -type f -exec chmod 644 {} \;  # Change file permissions rw-r--r--

Some themes and plugins include features that allow users to upload files. However, this feature can be exploited to upload malicious code for site-hijacking. When WordPress access these uploaded files, the code is executed, and site gets damaged or compromised. To prevent from such hacking, you can add .htaccess file in uploads directory with below code, that will lock down PHP execution in uploads.

deny from all

While installing WordPress you can change database table prefix at the same time with a random string-digit strong combination.

If hackers find a security vulnerability, then it allows them to write suspicious code into the site database. Default Table Prefix would be an easy give away. By default, WordPress uses “wp_” as a prefix for all database tables, so it's easy for hackers to guess. It's a good practice to change the database prefix that will help to prevent the database access from hackers.

With the release of WordPress version 3.xx (if you’re still using older version of Wordpress, it’s time to upgrade), it became possible to change the default "admin" username to custom during the WordPress installation. But many people still use the default "admin" username and becomes the victim of WordPress brute force attacks.

Don’t simple password as a sequence of number or qwerty, coz hackers can easily crack this type of password and get access to your website. Also, password should not be the name of someone, like your name or your pet's name or any directory word. A strong password should include both upper and lower case letters with numbers and special characters such as !, $, ?, ( etc.

Generally, all hosting companies provide malware scanner add-ons, which helps to scan files regularly and detect the virus and remove. You should use security plugins which provides malware scan functionality, so if any infected file(s) are detected immediate action can be taken.

Don’t login to your website or hosting via public WiFi or internet cafe. It can be easily tracked by hackers and your site can be hacked. It’s recommended, to avoid logging into WordPress through an unsecured internet connection or network.

Always use File Transfer Protocol Secure (FTPS) instead of FTP which is unsecured to prevent your connection from being controlled or monitored. Alternatively, you can use SSH File Transfer Protocol (SFTP) instead of FTP because it’s more secure.

Apart from the security plugins offered by hosting company, you can add additional layer of security by adding plugins on the website. These plugin(s) works itself so you can easily use this even you are non-technical.

Here are few security plugins we’ve used extensively:

1. Word fence Security – Firewall & Malware Scan

Link :
Active installations: 2+ million

2. Sucuri Security – Auditing, Malware Scanner and Security Hardening

Link :
Active installations: 400,000+

3. All In One WP Security & Firewall

Link :
Active installations: 700,000+