Best practices and tips for WordPress website owners
Keep your computer safe. Install a virus and malware scanner and run scans regularly.
Set up a computer firewall. Either download one or use the one delivered with your operating system.
Don’t log into your WordPress site through public wifi or an unsecured connection. If you do, your credentials could be tracked.
When accessing your server, use FTPS (File Transfer Protocol Secure) instead of the unsecured FTP to prevent your connection from being monitored.
Keep WordPress core, themes, and plugins up to date.
Only install trusted WordPress plugins and themes. On WordPress.org the “Popular” and “Featured” sections of the plugin directory are a good place to start when looking for trusted and secure plugins. To detect if a theme or plugin can be trusted or not, first read its ratings. There, you can find clues as to whether there have been security breaches or issues in the past, like buggy updates. You’ll also want to check to see when a plugin/theme was last updated. If a plugin or theme hasn’t received an update in some time (say years), then the in-activeness in that plugin/theme is a sign you should look somewhere else. In addition, analyzing a plugin or a theme’s popularity is another way to better ensure you aren’t installing malicious code into your WordPress site. A plugin/theme that’s widely popular isn’t necessarily less likely to be targeted by hackers but is more likely to be updated with security patches regularly due to its wide use.
Avoid using admin or administrator as a username.
Install ssl certificate, so your whole communication in and out of your website is encrypted.
Use strong password, at least 12 characters long, the best way is to use a password generator and make sure you change it every month.
Install a WordPress security plugin.
Last but not least BACKUP REGULARLY.