All That’s required to Lock Down your Site Is a good Secure Username and Password. This is one of the biggest WordPress security myth
Secure Username and Password is not always enough, but it’s an excellent start. A solid password and unusual administrator username on your WordPress site is an important piece of securing your WordPress site.
When you create the first admin user on WordPress, it put “admin” as default. It’s something that you should NEVER use. Not either the name of your site. The best you can use is a combination of letters that don’t mean nothing.
Secure usernames and passwords are an important line of safeguard against programmers. Yet they can’t be the primary technique you use to ensure your site is safe. Actualizing two-factor validation on your site includes a critical second layer of security to your login qualifications that make it that significantly harder to get hacked thru username and password.
So what shall you do if you already have been compromised?
To only Change your passwords won’t spare you because your information was likely uncovered weeks or months before you discovered it. To change your password, and to pick secure passwords helps
But you also need to go thru your files; it is big chance that the person that has got access to your site have placed or made changes to code in your theme or plugins. Or even worse your WordPress core file if he also gets additional access.
For this there is a fantastic plugin, call Wordfence. With this plugin you can scan them, plugin and core files and automatic compared with the original files. With this, you quickly find files that have been changed and can see what and when something has been done.