Let me share with you the 3 things I do to spam proof and hack proof WordPress whether it is a blog or an e-commerce site.
I see to it that I update my blog to the latest WordPress version.
Security patches come with each WordPress update. So, I make it a habit to login as admin to press Update Now. I immediately do this upon receiving an email notification from WordPress.
I installed Wordfence plugin.
This plugin is very convenient to use. I like it when I find anything that I can set up and forget. This plugin gave me the convenience to install and forget.
I lock out suspicious visitors and referrers.
Investigation immediately takes place when I see multiple visits or referrals that don’t make any sense. I block their IPs or referral URLs if I see that the start of these suspicious activities coincide with the time when my site’s analytics show no improvement.
If I am analyzing traffic through AWstats (available in cPanel), I get the IP from there and I go to projecthoneypot.org to check whether it is already blacklisted by on other websites. And, if I am analyzing data from Google Analytics, I take notice of spammy looking referral URLs.
If you want, you can copy my .htaccess IP blacklisting codes and my .htaccess referral spam blocking codes. They include all the bad IPs I collected and checked at projecthoneypot.org and the bad referrer URLs I got from my analytics data.
There you have it. The 3 ways that will protect your WordPress site or blog from security threats without spending a dime on paid solutions.