There have been quite a few articles written on WordPress security. After running a web hosting company for over a decade, we learned a thing or two about it.
Hidden Viruses
Most common issues are related to hidden viruses that have been introduced via an uploaded file. WordPress allows you to upload scripts as well as pictures and any other files. If you don’t specifically disallow scripts to be run from the upload directory, you are leaving a door open for the hackers.

WPBeginner wrote a good article about how to protect those. Make sure to always implement these!
Update All Plugins
Chances are you have a lot of plugins installed on your WordPress site. They are the main reason your site is slow and vulnerable to hacks. Not all plugins are safe to keep updated. Some might break your site after you update them. You have to make a list of the ones that don’t impact your theme in any way and set them to auto-update.

The rest will have to be dealt with manually. You should hide a PHP developer who also knows HTML/CSS to update these manually for you. That’s the only way!
Admin Accounts
Take a look at the list of your WordPress accounts. You should not have more than one admin account unless you have somebody else managing your site for you. In either case make sure all admins are legit. When you post something make to use an Editor account for that.


Secure Passwords
Your admin account should have a very secure password. Use what WordPress recommends when you are creating one.

This one is very secure and hard to guess. Make sure to save it in your browser and in a secure password manager program.
Latest PHP Version
Your hosting provider should offer the latest versions of PHP that are compatible with WordPress. Make it a habit to check this once or twice a year. This article has information about PHP8 compatibility.

According to Kinsta’s research this is the current PHP utilization on WordPress platform.
Limit Login Attempts Reloaded
One of the most powerful plugins to combat brute force attacks is Limit Login Attempts Reloaded but the premium version is even better because it improves the performance of your site and is constantly evolving.

One thing people overlook is their xmlrpc.php file which is used for XML feeds. Limit Login Attempt Reloaded protects that URL but you can disable it all together using these instructions.
Follow these guidelines and your WordPress site will be clean and healthy.