Website security is always a priority for any business doing work online. The first place to look to beef up this security is admin passwords (but that’s not the only thing to address).
Many WordPress websites generally will use either the default admin username or add one letter or a combination of letter and number before or after the admin username, i.e. hadmin or adminh1. Here are a few simple actions that can be done to help accounts avoid getting hacked, now or in the future.
1. Update. When updating, always ensure WP, plugins and themes are up to date. That will stop more than 90% of issues before they start.
2. Use strong admin passwords and avoid using default admin username or an easy to guess variant.
a. Employ password locking of wp-login.php with htpasswd
b. If there are users who need to get in like subscribers, then password locking isn't possible and you may want to use a plugin to display 403 error codes after N number of failed login attempts (you decide the N or number).
3. Install a plug-in to limit failed login attempts on all installs.
If your site has been hacked, then it’s a good idea to:
1. Update WordPress and plugins.
2. If some plugins are not needed UPDATE them first, then delete them instead of just making them inactive
3. Generate a new salt (random data that is used as an additional input to a one-way function that hashes data, a password or passphrase) - https://api.wordpress.org/secret-key/1.1/salt/
4. Change your admin login to something else
5. Change all passwords, on everything (database, WordPress installs etc)
6. Add the limit logins attempts plugins
7. Employ password locking of wp-login.php with htpasswd
You can also add the following to the .htaccess (configuration file for use on web servers running the Apache Web Server software):
# secure htaccess file
<Files ~ "^.*\.([Hh][Tt][Aa])">
deny from all
# block access to backups
deny from all