Developing a wordpress site is very popular these days and there is no doubt WordPress is by far the most prominent CMS out in the market, It’s the most popular with business websites like Web Hosting, Design company, Development company or even other small or mid-sized companies of various sectors. It's very easy to install and customize more ever its free of cost with tons of plugins available for tweaking and optimization. Wordpress sites have the look and feel of a perfect website which everyone wants today for social networking and SEO friendly.
There are a lot of ready made wordpress based themes available along with images which you can customize according to your needs. So you don’t have to ask the designer or developer to purchase images.

However with wordpress websites ever after using security plugins there comes a risk of hacking and you get worried when you start receiving LFD alerts about wp-login.PHP, xmlrpc.php files under attack. These attacks are nothing but automated brute force attacks which the hackers use to break in or infect your site with malware contents.

Here are some of the tips I would like to share to keep your websites secure and safe from brute force attacks.

The first step to start doing the right things is choosing the right Admin username.

During installation process avoid using admin or root for the admin user. You can easily put your email address or some complex username with strong password.

The default plugin which is installed with WordPress is Akismet to prevent your blog from spam comments, it basically filters out spam comments from the articles. The basic plan is free with limited checks so you can use it by activating the account. but if you don’t want any comments on your article or post the best thing to do is disable comments from Settings>>> Discussions.

We will divide the security levels into two stages. The first stage will be at the server level and second will be at website level.

Server Level Security Implementation

The web server running on the server whether its Apache, Nginx or Litespeed should be running at its latest version, Make sure you install and integrate Mod-security with the web server. Common exploits like SQL injection, XSS, file uploads and code execution. All of these can have consequences for a WordPress site and can be blocked using mod-security rules if properly implemented on the server.

Since WordPress is based on PHP language, servers should have updated PHP versions and hardened properly. Use of Cloudlinux based kernel is recommended.

1.) Install of CSF firewall and LFD ( Login Failure Detection ) to prevent the server from brute force attacks.

2.) Stop unused services and lock down ports with a firewall.

3.) Install maldet scanner to scan the files on a regular interval. Maldet will help to find malware and spyware on the server.

4.) Monitoring the access and error log files for brute force attacks. If you notice such entries in domain access log it's clear the site is under attack.

xx.xx.xx.xx - - [22/May/2016:23:09:50 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "http://www.sitename.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

5.) Secure Mysql server

Website Level Security Implementation

1.) Use strong passwords for all of your logins, whether is FTP, Cpanel or Database logins etc, Always use strong passwords to protect against brute force attacks.

2.) Install SSL certificate on your site.

3.) Remove unwanted plugins which are of no use as it could still pose a security risk. And if you are using customized themes make sure the themes which are not used remove them except for the default one.

4.) Automatic Core Updates (Wordpress Automatic updates available in admin panel). Set Plugins and Themes to Update automatically.

5) Disable PHP Error Reporting (Hackers usually get the server full path when PHP error reporting is enabled.)

6) Protect wordpress Files like wp-login.php, xmlrpc.php, wp-config.php Using .htaccess , A lot of information is given on net for this. Here is one example of setting up HTTP authentication for wp-login.php to restrict brute force attacks on wp-login.php, first setup htpasswd file with htpasswd command and put the following code in .htaccess file

Code:
# Protect wp-login AuthUserFile ~/.htpasswd AuthName “Restricted access” AuthType Basic require user mysecretuser
OR you can simply setup IP based restriction for wp-login.php file.

Code:
order deny,allow Deny from all allow from 115.xx.xx.xx
Access restriction for wp-config.php file with .htaccess , Add the following code.

Code:
order allow, deny from all
7) Change admin username and login URL to something different and give admin privileges to that user.

8) Track of Dashboard Activity (WP Security Audit Log)

9) Database Security (If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases.

10) Finally, the golden rule of the book is to make sure you have the backup of your database, Store Backups locally and remotely.

11) Use of Security plugins like Wordfence is must, Other plugins like WP DB backup which lets you backup your core WordPress database tables by just a few clicks is good, The other plugin like WP Security Scan is a good tool to find vulnerabilities in your site.

I hope the above tips help.