These recognized best practices should always be followed when using WordPress in a public environment, to drastically reduce the site’s vulnerability to malicious attacks.

Software

• Prompt and  consistent installation of WordPress updates to keep the software current.
• Choose third-party plugins carefully, selecting plugins whose authors have a known track record in the industry. Avoid using plugins that are incompatible with recent versions of WordPress. Deactivate and delete plugins that are not in use.
• Remove the WordPress version number from page headers.

Account usernames and passwords

• Always use strong passwords for admin, editor, and author accounts: at least 8-characters in length, with a mix of letters and numbers. Avoid using actual words as a password.
• Delete or rename the default admin account, so that it is not named “admin”.
• Avoid usernames that are simply the names of blog users, especially for accounts with extensive access privileges.
• Suggested: use a plugin to log and monitor failed password attempts.

MySQL Database

• Rename the database tables, so that they do not use the default table prefix.
• Create a strong and unique username and password for database access. (This is used internally by WordPress.)
• Limit access to the database account, so that it can be used only from certain domains. For example, if WordPress is being hosted by Dreamhost, I can restrict the MySQL account so that it can only be used by a Dreamhost server. This prevents someone from remotely accessing the database from another client.
• Backup the database daily.

Server

• Use index and .htaccess files to prevent users from viewing the contents of WordPress directories. Use a security scanner to check for incorrect directory permissions.
• Use the robots.txt file to block search engines from indexing files within the WordPress installation. (Does not affect access to served content pages.)
• Password protect the the wp-admin directory at the server level, if possible. (Depending on how your blog is being used, it may not be practical.)
• Suppress PHP error messages.

Additional recommendations

• Use a web host with a feature set that is helpful for maintaining a secure WordPress environment. Automated backups are a requirement. I use Dreamhost for all of my clients’ WordPress sites, and have been very pleased with their support for WordPress.
• When restoring an installation that has been damaged or compromised, import blog content from the XML file generated by WordPress, and not from a copy of the MySQL database. While this can create some extra work (registered users and plugin options are not transferred), it has the benefit of preventing any malicious SQL content from being introduced into the clean system.