1. HTTPS everywhere, forced
A free SSL cert (Let's Encrypt via Nginx Proxy Manager, Caddy, or Cloudflare) + 301 redirect from HTTP to HTTPS + HSTS header. Without these, any data that passes through the site can be intercepted.
2. Automatic updates for CMS and plugins
Over 80% of compromised WordPress sites have an unpatched plugin. Turn on automatic updates for security patches; major updates stay manual, but minor ones shouldn't wait a single day.
3. Strong passwords + 2FA on admin accounts
Not "admin123". Use a password manager for admin accounts and enable 2FA (authenticator app, not SMS). Include the hosting and domain registrar accounts here — which are usually forgotten.
4. Daily automated backups, tested
A backup that has never been restored isn't a backup, it's hope. Configure daily DB + file backups, keep 30 days in rotation, and run a test restore once a quarter. In an incident, this is the difference between 2 hours and 2 days of downtime.
5. WAF (Web Application Firewall)
Cloudflare (even the free plan) blocks most bots and common attacks. Rate-limiting public endpoints (login, contact form) prevents abuse without hurting real users.
6. Separate prod from dev
Staging with different credentials, different databases, restricted access (VPN or IP whitelist). Don't work directly on prod, don't leave debug endpoints publicly accessible.
7. Logs that someone actually looks at
Collect access logs (Nginx) and app logs in a central place (even a simple server with logrotate works). An alert on "more than 50 404s in 5 minutes" catches automated scans early.
8. A one-page incident plan
Who gets notified, how to shut the site down if needed, where backups live, what you tell customers. When it happens, it's not the time to think — it's the time to execute. A one-page Google Doc is worth it.
Conclusion
Security isn't a product you buy, it's a routine you keep. The eight measures above can be implemented in a week by an experienced dev and drop your attack surface dramatically. If your site handles payments or personal data, add a yearly audit by someone outside the team.