WordPress itself is secure — most hacked sites are running a weak plugin, a stolen password, or an old version.
1. Strong passwords + 2FA
Use a password manager. Install Two Factor Authentication (built into Wordfence, Jetpack, Solid Security) and turn it on for every admin user.
2. Don't use "admin" as your username
Create a new admin user with a non-obvious name, log in as that user, then delete the old one.
3. Keep everything updated
Dashboard → Updates. Update core, themes and plugins weekly. Enable auto-updates for minor releases.
4. Delete plugins and themes you don't use
Deactivated code is still on the server and still a risk. Delete what you are not using.
5. Limit login attempts
Install Limit Login Attempts Reloaded. Blocks brute-force attempts after 4 wrong passwords.
6. Disable file editing from the admin
Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);7. Use a security plugin
Wordfence or Solid Security. Run the malware scan weekly.
8. Take backups you can restore
Cron-based backups are useless if you can't restore them. Test once a quarter.