• remove default "admin" user, because most of the brute-force attacks targeted to crack "admin" username
• keep WordPress, theme and plugins up-to-date
• Avoid common words for passwords. Bad passwords: admin, letmein, pass
• install Security-protection and Anti-spam plugins
• Check out if your site is secured on sitecheck.sucuri.net

Links:

• smashingmagazine.com/2018/06/wordpress-security-as-a-process/
• sucuri.net/guides/wordpress-security
• Website hack report by sucuri.net