It was Monday morning and I was on a call with a dozen others who are my peers. Each of us helps the small business owner with their businesses in one way or the other. It was at the end of the call and we were each sharing our websites and going over how to make little improvements here and there. Time was running out and there was just enough time for one more website review, I volunteered. As my site was coming up for all to see suddenly the screen turned a maroon red with an outline of a security officer with his hand stretched out and the words of"don't precede malware danger." I was too horrified to remember exactly what it said although there was more. I was concerned I had spent hours on being destroyed plus humiliated the people on the telephone had seen me vulnerable.
Finally, secure your wordpress site will also tell you that there is no htaccess in the wp-admin/ directory. You can put a.htaccess file if you wish, and you can use it to control access to the wp-admin directory from IP address or address range. Details of how to do that are available on the internet.
Also, don't make the mistake of thinking that your hosting company will have your back so far as WordPress backups go. Not always. While they say that they do, it's been my experience that the company may or might not be doing backups. Take that kind of chance?
There's a section of config-sample.php that's headed"Authentication Unique Keys." There are four definitions that appear within the block. A hyperlink is within that section of code. You need to enter Web Site that link into your browser, copy the contents that you return, and replace the keys you have with the unique, pseudo-random keys provided by the website. This makes it harder for attackers to automatically create a"logged-in" cookie for your website.
Along with adding a secret key to your wp-config.php file, also think about altering your user password into something that's strong and unique. A good tip is to avoid common phrases, use letters, and include amounts, although wordPress will let you know the strength of your password. It's also a good idea to change your password regularly - say once every six months.
Do not use wp_ as a prefix for your databases. That default is being eliminated by most web hosting providers but if yours doesn't, fix wp_ to anything but that.