The only way to prevent contact form spam is to not have a contact form. That doesn't work for most people, so the best we can do is reduce the amount of spam that is allowed to be submitted without making it too hard for real contacts.
From a general security perspective, you want to reduce the number of bots and bad actors from reaching your site. A good security plugin like WordFence will help reduce unwanted visitors. I've had good success with using Contact Form 7 and the Contact Form 7 Honeypot plugins, and with Gravity Forms (it has its own Honeypot feature).
A honeypot is a dummy field in the contact form that human visitors will not see, but bots will detect as a contact form field. If this field has any content when it is submitted, the mail is not generated.
This will not remove all spam, as there are people who are paid pennies per email sent to fill forms manually, but it will reduce spam significantly.
Hope this helps.
What kinds of WP security issues are you having?
When you say that you want to protect your site from spammers, do you mean that you're getting a lot of spam comments or contact form spam? In which case, have you set up the Akismet plugin properly (i.e. registered on the Akismet site and set up the API key)?
If you're having issues with brute-force login attempts, you can use the (free) Limit Login Attempts plugin. For a much more comprehensive security plugin offering a ton of features try the premium version of WordFence ($59/year).
I'd also contact your hosting provider to see what tools they offer. One of the reasons that we strongly recommend clients put their site on a managed hosting solution is that most providers offer continuous monitoring and clean-up for things like malware insertion, nefarious php object injection attempts, and the like.
You could create a .htaccess file in the wp-admin folder and create a .htpasswd file, you will have to create a password for a specific user and load this information into the .htpasswd file. Then point the .htaccess AuthUserFile to the location of the .htpasswd file and also add AuthType, AuthName and Require valid-user
A good resource of information is here:-http://www.htaccesstools.com/articles/password-protection/
Hi, as a non-expert,i struggle with this too. I have a portfolio approach that I am happy to add to as i continue to learn. Here are the measures I have in place at the moment:
1. I have changed my login id from Admin to something non-obvious
2. I have a very strong password (l/c, u/c, numerals, symbols)
3. I use WordPress Akismet to deal with spam comments
4. I use WordFence to protect the site as a whole
5. I have recently switched host to a highly recommended WordPress hosting specialist (they don't host other tech, so I believe their claim to be better at WP than some competitors who don't specialise). I have not done enough due diligence to tell you they are right for you, but if you want to make your own checks, I use https://trafficplanethosting.com and am happy with the switch - very helpful help desk team and solid service. Email is their weak spot, but it is adequate.
Good WP plugin to reduce spammers to your blog comments:
Love Wordfence (free), but most of all, make your passwords LOOOOOOOOOOOOONG. Use a phrase like 'I hate long, 36-character passwords!' [make your own!] Brute force algorithms will hack through a short password in no time, and the hackers have bots that spend their life trying variations of passwords. And increase lockout times to their longest setting (60 days).
Akismet for comment spam.
For general security, I highly recommend Sucuri. #sucuri
Often, a good place to start when it comes to website security is your hosting environment. Today, there are a number of options available to you, and while hosts offer security to a certain level, it's important to understand where their responsibility ends and yours begins.
My recommendation would be to move away from wordpress simply because you have to keep on top of all the plugin updates and platform updates. If you missed a few updates on a particular plugin you may run into security issues and a simple plugin can break the site if it is not updated correctly. But if you can't move away from Wordpress, then you may want to try to get this plugin for security.
JMS Technology Group, LLC
I've actually written a blog post on this that explains securing a WordPress site: http://jvmediadesign.com/blog/business/truth-about-wordpress-security/
Also for comment spam, sign up for an account with Disqus.com and then install the Disqus plugin on your site. We use that for many of our clients and it really cuts down on the spam comments.