There are three very simple things that you can do to secure your self-hosted WordPress installation. None of them cost anything except a small amount of time to implement and will ensure that your installation is not the easiest target for hacking attempts.
Therefore, if any of those components contains a vulnerability, and you’ve not made sure that you’ve got the latest version, because you’re not using it, you’re a target for hacking. The simplest way to be secure is to not have anything on your web server that you’re not using.
Delete the Admin User
Almost every WordPress installation is created with the first user called Admin, as that’s what the installation script puts into the box when you set it up for the first time. Indeed, many WordPress installations only have this user!
Logged into your Dashboard, go to Users and create a new User with your full name and full Admin rights. You might already have done this of course. Then choose the Admin User and delete it, remembering to attribute any Posts and Pages to your new User.
Delete unused Themes
The current version of WordPress comes with four Themes preinstalled, some of which you’ll not be using. You’ll likely also have installed other Themes, then decided not to use them after all. All installed components are present on your web server, whether they’re activated or not!
To remove unused Themes is a little laborious but hopefully there’ll be few of them. Choose Appearance then Themes from the Dashboard menu and, for each theme you’re not using, click on it to open it and click on Delete in the bottom-right corner.
It is recommended that you keep two of the preinstalled themes, such as Twenty Ten and Twenty Thirteen, for trouble-shooting, as these are easy to update and managed by the core WordPress development team.
Delete unused Plugins
The current version of WordPress comes with three Plugins preinstalled, some or all of which you’ll not be using. You’ll likely also have installed some others. then decided not to use them after all. All installed components are present on your web server, whether they’re activated or not!
To remove unused Plugins, select Plugins from your Dashboard menu and, using the menu at the top, filter them to show only the Inactive ones. Select them all, using the check box above the first one, choose Delete from the Bulk Actions box and click on Apply. Confirm and the job is done.
Taking this three simple steps will mean that your WordPress site isn’t the most easily compromised. Hackers are inherently lazy, so they’ll move onto the next site if it’s suffering from the potential problems you’ve just fixed.