How do you guy secure your wordpress installs?
I have the following but still run into problems with spam and hacks:
Currently:
fail2ban, long jail times, check for wordpress brute force attacks
iptables, all ports other than the minimum blocked. Large black list of ips.
OSSEC with active protection.

rkhunter
Each vhost runs as a separate user (php-fcgi)
Sites that don’t need to send any mail have the mail() function disabled in php.ini
PHP mail logging, to track down spamming scripts.
Use as few plugins as possible and keep wordpress up to date.
Set proper directory permissions
Wordfence

https://www.reddit.com/r/sysadmin/comments/3h377b/securingwordpresswelcometohell/