https://yoast.com/wordpress-security/

 

Here is a summary of what Yoast recommends to increase the security of our WordPress installation.

 

1.  Don't use 'admin' as a username

 

2. Only assign the administrator role to those that need it.  All others give the minimum required.

 

3. Use a less common password:  CLU Complex, Long, Unique.

 

4.  Hide wp-config.php and .htaccess

 

You need to add this code to your .htaccess file.

 

1 <Files wp-config.php>
 

2 order allow,deny
 

3 deny from all
 

4 </Files>

 

 

1 <Files .htaccess>
 

2 order allow,deny
 

3 deny from all
 

4 </Files>

 

5. Change the table prefix

  (Usually wp_, change it to something else like zcv_)

  NB. This is best done at the installation stage.

 

6. Use WordPress Security Keys for Authentication (changing them in config.php can make things more secure: you can use this link https://api.wordpress.org/secret-key/1.1/salt/ (Or use the Sucuri plugin)

 

7. Disable file editing.  Stop people from editing your files within wordpress (won't affect ftp) By adding this do your wp-config.php

 

1 define('DISALLOW_FILE_EDIT', true);

 

8. Limit Login attempts using a plugin like "Brute Protect" or using Jetpack where it is now built in.

 

9. Add two-step verification – using the Google Authenticator plugin or Rublon plugin.

 

10.  Get a good hosting company that can help you optimize your wordpress security.

 

11.  Be careful of your plugins.  Read this Article and try to avoid plugins with low ratings or that are more than two years old.

Please read his article here: https://yoast.com/wordpress-security/ for more in depth info.