If you’re hosted on WordPress.com, there’s not a great deal you can do to harden your site. However, if you have your own server space somewhere and it uses WordPress as a content management system / blog software, there are a few simple steps you can take to make your particular part of the internet a little less inviting to hackers.
Over at Sucuri, Tony Perez talks about some of the bigger issues you need to worry about. While he goes into great detail, what it boils down to is not installing untrusted plug-ins, making sure you connect over secure protocols (such as SSH and SFTP) and employing a “least privilege” methodology when granting access to users.
One of the easiest and best tips is to just disable theme editing from within WordPress so if someone does get your password, the amount of damage they can do using PHP is limited. This can be done by opening up the “wp-config.php” file in your installation’s root path and making the following change:
#Disable Plugin / Theme Editor
The post contains more information of specifics and does an excellent job of not only explaining what you can do, but why you should do it.
WordPress Security – Cutting Through The BS [Sucuri Blog]