If you think you may already have been hacked, you can scan your website using Sucuri’s free site scanner. Even if the scan comes back clean, we highly recommend ponying up a little dough and buying a Sucuri license. For the average user, you’re only looking at like $90/year. It’s worth every penny!
This free security plugin records the IP address and timestamp of every failed login attempt. After a certain number of failed attempts (a number you can choose) it will disable login for that IP address for some period of time (an hour, day, whatever). What’s the point? This makes it take years (if not decades) for a hacker to use a script that just guesses and guesses your login until it guesses right (called brute force password discovery).
It’s a light-weight, highly customizable plugin and with over 150,000 downloads and counting it works. Did I mention it was free?!
SSL certificates are not just for eCommerce websites. Even if you’re site is all content a $70-$80 SSL certificate will allow you to encrypt (up the maximum the NSA will allow) the WordPress login screen.
Just buy the SSL (GoDaddy’s running a special on them right now) and add the following to your wp-config.php file before the line that says: “That’s all. Stop editing” to force login over SSL: