We implemented the following security measures:

• Searching and removing unused files like Readme which can create security hole. Before we started working on the website, anyone could have guessed that it was a wordpress site.
• Disabling directory listing with .htaccess
• Removing the WordPress version number
• Disallowing file editing. If a user has admin access to the WordPress dashboard, they can edit any file that is a part of the WordPress installation. This includes all plugins and themes. However, if file editing is disallowed, hackers will be unable to modify any file or restrict access to the dashboard even if they gain access to the WordPress dashboard. When a hacker accesses the WordPress login page and tries to guess the username and password for the administrator account, it’s called a brute force attack. Limiting the users that are allowed to see the log-in page and access the admin dashboard can reduce some of those attacks.
• Using Email as login ID instead of a User Name. This is a more secure approach.
• Setting up website lockdown and banning users
• iThemes Security (formerly Better WP Security) set up
• Setting directory permissions
• BulletProof Security installation
• Changing the password for PHP, MySQL, CMS login, FTP login etc. after the cleanup process