Here are some useful tips to help keep your WordPress site from being hacked. Plugins can help you with many of the tips I mention.
- Keep your themes and plugins up to date.
- Use strong passwords.
- Enable 2FA (two factor authentication).
- Use secure FTP.
- Disable comments if not needed.
- Disable registration if not needed.
- Use https (SSL) on your site.
- Check file permissions. Default should be 640.
- Check folder permissions. Default should be 750.
- Move wp-config outside of public_html. This prevents the file from being accessible from the internet.
- Disable file editing.
- Remove the default admin account with an id of 1. Or change the default ID of the admin account.
- Change the default database prefix.
- Don’t have any users with the name admin, administrator, or webmaster.
- Create secret keys.
- Add blank index.php files where needed.
- Delete readme.html and install.php.
- Keep your computer antivirus program up to date.
- Never use the same password for multiple websites.
- Backup everything in case something happens.
- Disable XML-RPC
- Avoid installing WordPress and not doing anything else to secure it. Your site will get hacked if you do this.
Also check out 23 tips to make your Mac computer more secure.