These points have been made before – here and many other places – but bear repeating given the prevalence of WordPress hacks being reported …
- Use a non-obvious admin name and a strong password.
My admin name doesn’t have to be crazy long or complex, just not obvious and especially not ‘admin’. My password should be crazy long and/or complex, and something I can definitely remember. - Keep everything – WP core, themes, and plugins – up to date.
The option to auto-update will reportedly be built-into WordPress 5.5. Until then I can accomplish the same thing by adding a few lines to my child theme functions.php file, or better yet to my custom plugin. - Never, ever install a nulled theme or plugin. These are pirated versions of premium (i.e. paid) plugins and themes that have been infected with malware and given away free to gullible cheapskates (I am definitely a cheapskate so I have to be careful not to be gullible).
One other cardinal rule – I must always have a recent backup of my site files and database, stored off my site. This won’t prevent me from being hacked, but will save my bacon if I am hacked or – much more likely – I do something stupid and bugger my site on my own. I use UpdraftPlus paired with Google Drive, both are free.
There are many other security precautions I can take, depending on my level of paranoia (mine is off the charts), and enjoyment of tinkering. But the simple steps above will thwart nearly all hacks.
