Apart from the above suggestions which apply to everything you do on the internet and not just to WordPress, then there are some other WordPress specifics you can to beef up the security of your WordPress blog or website.
To start off with, change the default “admin” WordPress username if you are still using it. By doing so you are automatically excluding your WordPress from the most common brute force attacks.
I would also recommend to set up HTTPS for the WordPress dashboard (wp-admin) directory. By accessing the dashboard over https (encrypted HTTP connection) you are ruling out the possibilities that a malicious user captures your connection and logs in to your WordPress.
Use WordPress user roles. If you have guest writers who write blog posts but do not publish them, give them a contributor role.
Use a WordPress audit plugin to monitor the activity of WordPress itself and the WordPress users, such as WP Security Audit Log and a WordPress plugin like Old Core Files to delete redundant files from WordPress.
Of course there are many other tweaks you can apply to your WordPress installation to improve its security and ensure you do not fall a victim of a malicious hacker attack. But most probably you would be better off if you talk to a WordPress Security Professional because every WordPress installation is different and everyone has different needs.
What popularly suggested measures that you see promoted on the web are of little or no help? Similarly, what suggested measures are blown way out of proportion in terms of their supposed benefits?
I’ve never seen any suggested WordPress security measures that are of little or no help. Every little bit helps. In fact when we make a WordPress security hardening, we do not just implement solutions and tweak to keep WordPress safe from malicious attacks. We also think of when a website is hacked and apply changes to try and limit the damage a malicious hacker can do once he or she hacks the WordPress blog or website.
Many people might think that this is a waste of time, i.e. once a website has been hacked it is too late. That is simply not true. The more you limit the damage a hacker could do once he or she intruded the website, the cheaper and easier it would be to recover the website. Of course if you make frequent backups of your WordPress site it would also help in the recovery process, so frequent backups are a must.
What important aspect of WordPress security do you see most commonly neglected by end users?
I do not think there is a specific aspect of WordPress security that is neglected. Having said that I am not saying that WordPress administrators and users are doing it right, but simply most of them do not even bother about WordPress security. On the other hand there are WordPress administrators who care about security, or the business they work for does and invest in WordPress security. In most cases, those who care have been hacked before, and that is why they care.
Unfortunately people do not see any benefits in securing a WordPress blog or website until they are hacked, which sometimes it is too late. Businesses have lost their reputation and some of them even went bankrupt when their website got hacked.
Do you have any further comments regarding WordPress security that you feel you have not covered in answering the above questions?
There is a lot of information available on the internet that can help you secure your WordPress blog or website, or get you started with it. Read, learn and try to apply what they recommend. If your WordPress is your main source of income, and maybe you do not have the time for it, or it is simply not your cup of tea I would recommend you to outsource the job to a professional because they can go the extra mile and give you solutions specifically tailored for your WordPress installation.
Do not wait for a malicious hacker to hack your WordPress before you start thinking about WordPress security since it might be too late. Stay secure!