Update 2020-08-28: Auto-updates for plugins and themes is now built into WP 5.5 and later.
The vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.
I use a checklist to remind myself of the various tasks to perform during periodic WP site maintenance. For me monthly seems about right for these tasks. A very active site would benefit from more frequent maintenance.
WordPress uses a cookie to keep track of my login state. While the technical details are a bit out of my comfort zone, if an attacker gets his or her hands on or forges my admin authentication cookie, he or she could take over my admin role and cause a great deal of mischief.
My #1 most important WP security and maintenance practice: Always have an up-to-date backup, stored off my site. If I irreparably mess up my site, or it gets hacked in spite of 