Hi snshinde and welcome to WebmasterWorld [webmasterworld.com]

Make sure to install every security update as soon as they are released. Keep watch at the WordPress site.

And de-activate any plug-ins you don't actually use.

I also run multiple WP sites. There are many steps you can take to limit but not eliminate the risk of hacking. Here are a couple:
-keep all WP core and plugin code up to date
-use a theme from WP.org: These are somewhat tested. Third party themes may or may not be well tested
-limit/reduce plugins: Plugins are where most hacks occur in WP, not core code. Reduce these to a bare minimum and ensure they are all updated. If you can do something with a plugin or without, do not use a plugin.
-remove all unused themes and plugins from your install. They can be an entryway for a hack
-ensure passwords are non-trivial: simple passwords are easily guessed with hacking software and a vocabulary file. IDs are easily found with a simple scan of documents
-2FA: Do two factor authentication. This is a server-based ID and password before the WP password challenge, and is common for all WP IDs. This makes it extremely difficult for bots to hack your IDs, though it makes it more difficult for your users. If you only do this step you will markedly increase your WP security. [codex.wordpress.org...]

Optional but very useful:
-monitor your raw access log and ban malicious bot behaviour
-download WP hacking software and try to break into your own sites. Scan your sites for vulnerabilities and easily broken passwords

There are no guarantees, so do regular backups. WP is not software you can leave alone for years. It will eventually get hacked. WP sites need regular maintenance and protection Server hacks can occur but are much more difficult.

There are several useful tips in this Google Developers help page:
[developers.google.com...]

welcome to WebmasterWorld, snshinde!

There are common-sense changes that most anyone can do to make WP safer and WordPress offers a page full of security tips for Hardening WordPress [codex.wordpress.org] with all the how-to instructions.

The vulnerabilities most affecting WordPress website owners stem from the platform's extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber criminals to hack and otherwise misuse WordPress sites.

Plugins have full access to all core functions and you can't separate their access. That's why it is very important to limit dependence on plugins, research all plugins and keep them up to date.

To check on vulnerabilities of plugins - before you install them, you can see the status and history of plugins at the WPScan Vulnerability Database [wpvulndb.com]

You can change the wp- table filenames by changing their prefix in the database to cause malicious probing or attacks to return a 404 error. That requires a wp-config edit as well. Adjusting file permissions for strategic files can also help, so long as you understand server permissions (chmod).

Don't use auto-installers like Installatron or Fantastico but do manually install WP, see their user's guide for how this is done.

There are few things:

0. make sure your server is secure
1. updates and dont overload your installation with plugins :D
2. start using software called wpscan (you can get it along some other security scanners on Kali Linux vmware/vbox image or just install ruby on windows).
- it's connected to live exploits db at exploit-db.com
- it will show you plugins with security holes, security problems of your current version
3. some security plugin might not be bad idea (i.e. wpfence)
4. be brutal & use chattr +i file/directory command on wordpress files/dirs (probably apart of wp-content unless you dont new upload files) to make them immutable, most of wp malware modify your files (other times db) in order to inject stuff, if files are immutable even root cant chagne them so malicious code wont modify them neither.