Three excellent options stick out in my mind. I’ve added an extra credit assignment for you overachievers.
Update your version of WordPress.
This is extremely important. The guys over at Automattic are constantly updating and tweaking WordPress core. Take advantage of their generosity! *NOTE: Since WordPress 3.7 this shouldn’t be an issue. WordPress updates ITSELF! Gotta love that!
Remove this user -> admin
Some attacks to your site can be prevented or delayed if you have a username other than admin.
Disable support for xml-rpc.
Have you heard of these crazy attacks that have been happening lately? WordPress has the option to allow or disallow ping backs from other WordPress powered blogs. Some attackers have been able to exploit this connection feature. If you don’t ever plan to use this feature you can turn it off in Settings->Discussion and untick “Allow link notifications from other blogs (pingbacks and trackbacks)” . Better yet, you can rename the file xml-rpc.php in your WordPress install or delete the file entirely. Doing so should not affect the functionality of your website.
**Extra Credit** Use Hide Login+ or a similar plugin.
Hide Login+ hides your login screen in a separate URL. This is handy since hacker bots are always searching websites for a login page in an attempt to access the site’s admin area. You can specify what folder structure you want to use in the plugin settings. Come up with some really weird ones that no one will EVER figure out, not even you!
The typical Login url for a WordPress site: www.yoursite.com/wp-admin
www.yoursite.com/where/is/my/login/screen/again? Just don’t forget where you put it!