Semi-geek: I'm confident with managing plugins, except where the preferences get too complex. Our site has a tech volunteer who does good work, but his time is stretched, so I want to see what I can do by myself to make it more secure - and where help is needed, at least
Background: We've never had our WordPress site hacked, and although we've got open commenting, spam is being handled nicely, thanks to the wonderful Akismet and Bad Behavior plugins. But I'd like us to be more secure now, rather than after an attack.
Question - what are the easiest steps for security?
I've found several suggestions & plugins:
#1. Don’t use the admin account - DONE (the only one I've done). (I changed its permissions to "subscriber" - didn't see a delete option) (from Top 5 WordPress Security Tips You Most Likely Don’t Follow.)
#2 Four more other suggestions at the above link. Restricting the IP isn't an option for us (we move around) and for the others, I'm not sure I've understood everything I have to do, and I'm afraid I'll break something.
#3 HTTPS for /wp-admin/ - Administration Over SSL - that looks quick, easy... & probably important in this age of FireSheep.
#4 Secure WordPress - makes a lot of changes I don't understand. I'm not completely sure that it won't break other functionality on the site, including social media plugins.
#5 BulletProof Security - as above
Before making a lot of changes, I'd like to be confident that all the changes are good. Suggestions appreciated!