Do not use username “admin” – when someone tries to brute-force into your site, this will likely be the first username they try.
Keep your WordPress and plugins up to date.
- Use a password manager to store your passwords. This will allow you to use strong passwords for your site (and anything else) without committing your memory to remembering all of the combinations special characters, letters and numbers.
- Akismet – a very effective option to detect and block spam comments from your blog.
Wordfence (free/paid) – a free version allows to scan your source code, themes and plugins; set up limits on login attempts; sent email notifications when somebody logs in to your site or enters invalid credentials. If the number of users who can login to you site is relatively small, I recommend immediately locking out the users who try to log in with an invalid name, which is an excellent option to defend against brute-force attacks.
A paid version allows to set up two-factor authentication, country-blocking, advanced spam scan options.
- IQ Block Country (free) – you can combine it with the Wordfence to get additional protection for country blocking if you don’t want to pay Premium for Wordfence. IQ Block Country allows to block certain countries (determined by IP) from logging to either your frontend or backend pages.
There is a potential that Wordfence and IQ Block country may conflict with each other; I have used both plugins without experiencing any conflicts.
When considering country blocking, you may want to check your Spam folder to see where most of your spam comes from; or if you already use Wordfence – it can tell from which countries most of the invalid logins orginate. Use this information to lock your back-end or front-end. I found country blocking surprisingly effective against spam.
Obviously, an IP can be spoofed if someone truly wants to break into your site. But my goal is to defend against most obvious types of attacks.