I'm thinking about starting a blog using Wordpress. I'm not interested in a website at the moment and just want to start a blog.
I'm in Australia, so I suppose that may mean some overseas issues with hosting, but do any of you gurus here have suggestions bearing in mind you're talking to a non-Geek?
Keep WordPress, and all your plugins and themes up-to-date so you'll have the latest security patches.
For the hosting, make sure its PHP, web server (usually Apache), and database server (usually MySQL) are kept up-to-date so they have the latest security patches.
Also make sure your site is behind a good web application firewall (WAF). This could be ModSecurity on the webserver (with a good ruleset - no rules means no protection), or using a service like Sucuri's WAF, or both in combination.
Back up the site often (preferably daily) and keep older backups (I often recommend 2 monthlies). Hackers tend to compromise a site, lay low for a few weeks, and then slowly become more and more obvious. Having backups from before disaster strikes is essential. There should also be copies of these outside of the server.
Don't add too many plugins. They're not all tested with each other, and the more you add, the more you risk making the site both slower and broken. It's fine to have a few good ones, but if I'm seeing the number approach 20 while people complain about how slow their sites are, then I begin suspecting that as a contributor.
If the site's needs get too big for you, you probably need a developer to help you. Finding a good one can be a challenge in and of itself, and you want this person to be absolutely trustworthy. Maintain a good relationship with this person! Disgruntled devs can become very damaging hackers.
Use long, strong passwords (15 characters at least), make sure they cannot be easily guessed, cracked, or otherwise obtained, and only enter them on encrypted, secure connections. That means HTTPS, SFTP, or FTPS. Don't use HTTP or FTP when entering these passwords, they are unencrypted and insecure.
Don't keep the old version of the site in a subfolder of the main site. That's a wide-open door for hackers. Keep the old copy completely outside of the main site's document root.
If you get hacked, you or your developer will need to check the site files AND the database for code that isn't supposed to be there. So make sure you keep good backups of both of them, safe and secure which you can use to compare with the suspicious new site copy.
WordPress is something like 40% of the Internet. As such, it is a major target, and WordPress sites get hacked a lot. Taking these steps to protect yourself is essential.