This is an easy decision. Whenever setting up a new user account, use only safe and strong unique password. Otherwise, that user account can be compromised by the hackers. The hackers are usually used some softwares such as Wireshark or Fiddler to capture your WordPress login credentials. Always use strong unique passwords for WordPress users, hosting and database.
2. Insecure Web Hosting:
WordPress sites are hosted on a web server. Some hosting providers do not properly secure their hosting platform. This makes all sites hosted on their servers vulnerable to hacking attempts by the hackers. Just ensures that your website is hosted on a safe & secure server which can block many of the most common attacks on WordPress websites.
3. Not Updating WordPress /Plugins or Theme:
Some people are afraid of updating their WordPress websites. They sometimes think of misconception that doing so would break their website.If you update WordPress /Plugins or Theme,it will fix bugs and security vulnerabilities in your website. Make sure you keep your WordPress theme and plugins up to date.
4. Incorrect File Permissions:
File permissions are basically a set of rules used by the web server. A permission is represented by a set of numbers, such as 644 or 777.Incorrect file permissions can give a hackers access to write and change these files in your server. Make sure that all the files must have set permission as 644 and all the directories/folders must have set permission as 755. Wp-config.php file should be 660.
5. Using ‘Admin’ as WordPress Username:
It is not recommended that if you are using admin as your WordPress administrator username. You should immediately change that to a different username otherwise the hackers will be easily hacked your website.
6. wp-config.php File Not Secured
WordPress database credentials are contained in the wp-config.php file. If the file has been compromised by the hackers then it will be easier for them to get complete access and control over your website. To prevent them by getting hacked your website you should add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess.
order allow,deny deny from all