Its not enough to build a clients’ site and send them on their way. With website hacking much more prevalent in the last few years, both site hardening and regular automated backups are just the start of a protective strategy.
In the case of WordPress, site hardening firstly means that you keep WordPress itself up to date, and also any plugins that your site uses. Deleting unused plugins and old users is also a requirement.
Securing user login details should firstly include strong passwords and also use of antivirus on the computer you use to administer the site (login details can leak if your computer gets broken into – physically or remotely). A password manager on your computer means you can use a complex password that you don’t need to remember.
As with your own computer, a backup of the website should be compulsory since no one can 100% guarantee that security will not be breached.
On the sites that we manage, we also monitor the sites’ core files for changes and check on who logs into the site admin. Monitors look at any changes that are made to site content and also at any site downtime.
Security is a moving target with any computer and what is secure from most attacks now, will almost inevitably not be secure in months or years without ongoing measures.