The most important thing I have ever done to protect my WordPress site from hacker to follow some simple tricks here I may suggest you-
- Set up website lockdown and ban users
- Use 2-factor authentication
- Use email as login
- Rename your login URL
- Adjust your passwords
- Protect the wp-admin directory
- Use SSL to encrypt data
- Add user accounts with care
- Change the admin username
- Monitor your files
- Change the WordPress database table prefix
- Back up your site regularly
- Set strong passwords for your database
- Protect the wp-config.php file
- Disallow file editing
- Connect the server correctly
- Set directory permissions carefully
- Disable directory listing with .htaccess
- Update regularly
- Remove your WordPress version number
I personally use the following security protocol/combo:
Keep your WordPress core, theme and plugin always up-to-date. You can’t risk having any kind of vulnerability even for a short time span.
helps protect your website against known sources.
helps protect your WordPress generally speaking, including directories, and also blocks knows sources too. I prefer it to the other same level plugin simply because they have extensive notifications that help tremendously keep an eye on each website’s activity.
to remove REST API if you are not making any use of them.
changes the default login URL. This will cut drastically brute force attacks.
(optional) It helps remove WordPress information that might help make hacking your website easier, like the WordPress, WooCommerce, and Visual Composer generator tags.
Buy a license for. It will shut down any query, injection, scripting based attack. The developer license is best for multiple websites.