Update!
The most important aspect is WordPress is also the easiest: keep your WordPress core, themes, and plugins updated.
Lock down things you are not using:
Once your site is rolled out, you probably do not need the plugin and theme editor. Disable this by adding this line in wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );
You might also want to disable plugin & theme update installation & updates (you’ll still have to run your updates manually, of course):
define ( 'DISALLOW_FILE_MODS', true );
Restrict how users can log in:
Protect wp-config.php:
define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://example/' );
Do not backup locally using plugin
Yes, do back up your site. A good hosting service may have options for this. But avoid using a plugin, as these are quite easy to exploit.
Be obscure:
Top it off with security plugins:
The main focus of website security is server-side. But plugins do add an extra layer of security so it never hurts to throw one into the mix.
This article is a composite of several external sources. Full credit to the following for providing excellent advice on keeping WordPress secure: