WordPress Security Checklist

Hosting

• Choose a reputable hosting provider
• Pick a strong password for your hosting account and enable 2FA if possible

Control panel

• Pick a strong password for your control panel account and enable 2FA if possible
• Enable an anti-virus software if there is one (cPanel has ClamAV scanner which can be enabled via WHM)

WordPress

General

• Enforce HTTPS
• Install a security plugin (Wordfence is the most popular free option)
• Schedule regular backups of your website (you can use UpdraftPlus)

Authentication

• Pick a strong password for the admin account
• Delete unused accounts
• Enforce strong passwords for users
• Disable registration if you don't need it (Settings > General > Uncheck 'Anyone can register')
• Disable XML-RPC if you don't need it (you most likely don't)
• Regularly change passwords
• Activate 2FA for admin accounts (can be done with Wordfence)
• Add a captcha to the admin login page (can be done with Wordfence)
• Hide the login page (you can use WPS Hide Login)

Themes and plugins

• Don't overload your website with too many plugins/themes
• Don't use plugins/themes that are not regularly updated
• NEVER use cracked/nulled plugins/themes
• Keep your plugins/themes up to date