By default, most hosts allow directory listing. Because there are a standard set of directories in a WordPress installation, the hacker can go directly to the directory inside your site and see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.

This is a simple but important problem to fix. You have three options:

1. Place an empty file in each directory with the name INDEX.HTML or INDEX.PHP
2. If you are using an Apache webserver, modify your .htaccess file
3. Use a Security plugin (see the end of the series for suggestions)

Change The Default “Admin” Username

The problem
Brute force is one of the easiest ways to break a password. The method is simple: try as many different passwords as possible until the right one is found. Users of the brute force method use dictionaries, which give them a lot of password combinations.

Knowing your username makes it easier for them to guess the right combination. This is why you should always change the default “admin” username to something harder to guess.

Versions of WordPress starting with 3.0 let you choose your desired username by default, so there should be no excuse for not doing it right. If you have a site that was created with an older version, Admin renamer extended.

Pick Secure Password for Admin

Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.
With that assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.

You can change your password after your site is installed. You may even want to to change it on a regular basis. I recommend the plugin WP Security Scan because it has a password generator.

Populate wp-config.php Properly

Go through each line in wp-config.php, not only the first block for database configuration.

Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies.

There is an automatic generator for these at: https://api.wordpress.org/secret-key/1.1/salt/

You also want to modify the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wpRbX3i_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.

Hide WordPress Version in the Header Tag

Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.

Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)

<?php remove_action('wp_head', 'wp_generator'); ?>
It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those crackers from targeting your blog.

New exploits are discovered every so often and when a fix has not been made available yet, everyone is at risk. However, by implementing all or some of the tips above, at the very least it should give you peace of mind that you are not leaving your house unlocked.

I recommend the plugin Better WP Security which is easy to use and configure, and does many of the security functions for you.

Install a plugin or use cronjob to create database and file backups on a regular basis. This may not be directly related to security, but in case you detect intrusion, you will be glad you make a backup.

I personally like BackWPup.