Here are a few rules that I follow:
1. Never use an automated WordPress installer to set up WP. Your username should NOT be ‘admin’.
2. Use your own database table prefix
3. Disable unauthorized access to the wp-admin folder (I restrict access to a certain set of IP addresses. Of course, if you also users registration, you cannot restrict the backend.)
4. Be careful about what plugins you install. Badly coded plugins can create vulnerabilities. Also make sure that they are up-to-date.
5. Check folder permissions.
6. Hide wordpress version.
7. Consider 3rd party services. (CloudFlare will speed up your site and help secure it for free.)
8. Make sure your directory structure is hidden.
…
There’s a lot of tips out there. You might as well start here:
http://codex.wordpress.org/Hardening_WordPress
You could also Google it and if you have any questions about anything, just ask about it here on the Forums.
Make sure your own desktop is clean as well (lots of sites get hacked through stolen credentials via desktop virus).
A good text about it:
http://blog.sucuri.net/2010/11/yet-another-wordpress-security-post-part-one.html
thanks,
What dd@sucuri.net says is true. Another tip is that if you use FileZilla to put it in Kiosk mode before it’s first usage.
