A checklist from Kristen Wright at iThemes
Web security is a big deal. Keeping a website secure is incredibly important. Case in point, Equifax. Here are some tips for maintaining WordPress security from Kristen Wright at iThemes. I expanded on Kristens recommendations a bit. The iThemes Toolbox is one of many good tools out there. Some of these points are specific to iThemes Toolbox, but have comparable settings in other security plugins.
Update WordPress core to latest version
Use a WordPress security plugin like iThemes Security, Wordfence or Sucuri to help perform important WordPress security tasks
Enable 404 Detection because of phishing and other attempts
Enable the Banned Users setting to block specific IP addresses and user agents from accessing your site
Review logs of Banned User IPs
Enable WordPress brute force protection to protect your site against attackers that try to randomly guess login details to your site
Enable Network Brute Force Protection to protect your site against known attackers before they reach your site
Run a WordPress Malware Scan
Enable User Logging to log user actions such as login, editing or saving content and other actions
Disable the File Editor in WordPress Tweaks
Harden WordPress by using the Away Mode setting to limit access to your WordPress login and admin area (for example, overnight or while you’re on vacation)
Whitelist your own IP Address
Review WordPress file permissions
Remove the Admin user
Change WordPress salts & secret keys
Activate and set up WordPress two-factor authentication
