With all the press about WordPress sites being compromised, including cases of ransomware distribution and password stealing plugins, it is clear that security should be at the forefront of your mind when running a WordPress site. Fortunately the vast majority of attacks are opportunistic, making use of known vulnerabilities in WordPress, plugins and themes. A result of this is that basic security practices, such as using strong passwords and keeping software up to date, can thwart most attempts to hijack your site.
Keep your site up to date
Keeping WordPress, plugins and themes up to date with security patches is of paramount importance. The availability of security updates signifies the existence of a vulnerability that might already be being exploited in the wild, and the longer you leave your site vulnerable the more likely it becomes that you are targeted. To reduce the risk of attack you should update your WordPress installation, plugins and themes regularly, preferably as soon as the updates are available. You should also limit your use of plugins and themes to those which are trusted and receive regular developer attention (if they stop being supported by their developers they should be replaced).
WordPress is relatively easy to keep up to date. Since version 3.7 there has been an option to enable automatic updates, a functionality that streamlines the process for you by automatically installing minor and security updates. While this feature is enabled by default on new installations the use of a version control system such as Git will disable it.
Next come plugins and themes. If you've stuck to using plugins and themes from the WordPress.org repository you'll be able to enable automatic updates easily by making use of an update plugin. While there are several options Advanced Automatic Updates is widely used, you just have to install it, and then navigate to the settings and enable updates for both plugins and themes. If you have used themes or plugins from other sources you will have to update those manually unless another solution is provided.
Backups. Software breaks, hardware breaks and ransomware exists, but what about your backups? Backups are essential for swift and cheap recovery from catastrophe. WordPress.org offer a good guide on manual site backups, however you may wish to automate the process, and for that we recommend UpdraftPlus. With UpdraftPlus you'll be able to schedule backups, restore from your backups easily and store your backups in cloud storage such as Dropbox or Google Drive. It is possible that an attacker who compromises your site would be able to retrieve the credentials to access the remote backup location (e.g. Dropbox) to remove or modify your backups, and therefore we recommend that you periodically download your backups so that you have trusted copies stored in a location which can't be accessed if your WordPress site is compromised.
As with all passwords, your WordPress account needs to be secured with a strong password to protect against brute force attacks. Either use a password manager, or generate a random password of at least 16 characters in length. In addition to a strong password there are security plugins available which can further reduce the viability of brute force attacks. We recommend Wordfence as a great all-round security plugin which can be configured to provide lots of security benefits, including protection from brute force password attacks and two-factor authentication (with the premium plan).
Your database credentials are stored in the file 'wp-config.php' which is generally found in the root of your WordPress installation, which is accessible via the internet. This isn't usually a problem, but it is argued that moving this file out of your web-root folder can further reduce the likelihood of this file being compromised. This can be done by logging into your server and moving the file 'wp-config.php' from your WordPress installation root folder (where you find the folder 'wp-includes') up a single directory. In addition you should ensure that the file system permissions are set to either 400 or 440. You can read more about the benefits of moving wp-config.php on StackExchange.
The security practices laid out in this article should help you move your site out of the pool of easy targets that hackers are compromising on a daily basis. It should also be made clear that updating software and using strong passwords are two practices paramount for all computing, from your workstation to your phone. While the focus here has been on hardening your WordPress site, you also need to consider other attack vectors such as the devices (think keyloggers and other malware) and networks (think surveillance) used to administer your site, for example in many cases people don't use SSL (no 'https' in the URL; the connection isn't encrypted) to connect to their admin panel, and as a result of this computers on the same network could record login credentials. Therefore it is important to administer your site through secure, trusted networks, and not through open public WiFi hotspots. Being 100% secure isn't practical and isn't the aim; taking practical steps to reduce risk will keep your site safe from many of the attacks that you will be likely to face.
For further advice you can check out WordPress.org's Hardening WordPress and OWASP WordPress Security Implementation Guidelines (which are also useful, albeit dated in some areas).