Keeping WordPrss security locked and tight is a must for any professional Web developer. Since WordPress doesn't include many security enhancing features, a series of tips and tricks are needed to help lesser technically skilled users bolster their site's protection level.
Below is a list of recommendations on how to improve your WordPress site's security, along with the names of various plugins, where's the case, that can help you implement it.
We won't provide links to the plugins' homepages since it would be an SEO catastrophe, but you can easily type their names in the WordPress built-in plugin installer and have them added to your own sites.
1. Keeping the WordPress core, themes, and plugins up to date
There are quite a few plugins that can do this. First off, there's Easy Updates Manager, then there's WP Automatic Updates, and Advanced Automatic Updates.
Outside these, they are also plugins dedicated specifically to separate automatic updates to the site's plugins, themes or core like Background Updates for Major Releases, Auto Update Themes, or Automatic Plugin Updates.
2. Downloading themes & plugins from well-known sources
Themes and plugins should always be downloaded from well-known, trusted, and established sources.
This includes the WordPress theme and plugin repositories where unsecure content is regularly exposed by WordPress employees or the community, or online marketplaces like ThemeForest, CodeCanyon, Mojo Themes, YOOthemes, WooThemes, Themezilla, and such, where content is provided by famous developers or tested by someone with expertise.
Sure you'll find developers offering themes and plugins on their personal sites, and most of the times the code will be harmless and quite useful, but try and avoid any such "free" offerings if you can't read PHP and can't tell what that particular tool actually does.
3. Backups! Backups! Backups!
Having the site automatically backup itself at regular time intervals allows you to go back in time before any "malfunction" or point of attack.
I don't think you need help or recommendations finding a plugin for WordPress backups. Just type in "backup" in the CMS' built-in plugin's search field and you'll get more than 25 pages of results. From local backups to automatic backups, to Amazon S3 backups, to Dropbox backups, all the niche cases are covered by a plethora of tools.
4. Change your default admin username
For a long time, WordPress automatically created the "admin" username during the installation and generated a random password to use with it. A few versions back, there was a shift in policy and Automattic allowed users to setup custom usernames for the main admin user.
Just in case you were uninspired during the installation and continued to use "admin" for the admin username, the Admin renamer extended plugin can help you change this later on, even if the site has been installed. Of course, if you like over-complicating things, you can do it the hard way by editing the wp_users table in your MySQL database.
5. Force users to register with stronger passwords
For a few consecutive years now, security researchers are finding out that people still tend to use weak passwords phrases like their username, the word "password," "123456," or other similar terms.
We cannot fully express in written words what a bad idea is to have such a weak password. Not just for a WordPress site username, but for any online account.
As a site admin, you can install WP Password Policy Manager or Force Strong Passwords to make users setup accounts with stronger passwords, even if they like it or not.
6. Prevent access to the administration panel
This can be done via a series of plugins that changes the login page URL, and some of the tools that can do this are WP Admin Block, HC Custom WP-Admin URL, Protect Your Admin, Custom Login URL, and WPS Hide Login.
7. Use CAPTCHA fields for forms
CAPTCHA fields can help you keep spam bots away from your comment fields, but a CAPTCHA field on the registration and login pages can also be useful to prevent brute-force attacks that might expose your backend.
The same as with the site backup, just type in "captcha" inside the WordPress plugin installer, and you'll end up with over 15 pages of results. Most of them work fine, and the style of CAPTCHA you implement may be only of personal preference.
Sure, more advice can be given on this topic, and we can actually go on for pages and pages, but these are the basic steps you need to take, even if running WordPress as a personal blog or for a mere three pages site.