1. Use 2 Factor Authentication
2. Try to use your Admin account as little as possible
3. Don’t name your Admin account “Admin”
4. Keep your plugins up to date
5. Don’t install more plugins than you need
6. Don’t keep plugins you’re not using, even if they’re inactive
7. Repeat steps 4 through 6 for Themes, too.
8. Keep your WordPress itself up to date
9. Get a plugin that changes your login page from /wp-login.php to something random like /djeu
10. Get WordFence and if you can afford it, the Premium version.

Here is an addendum to point 10:

I first recommend getting the highest tier of JetPack, which has all sorts of features including security.

If you’re unwilling to pay for the highest tier of Jetpack, get the Premium version of WordFence.

If you’re looking for free solutions: get both the free tier of JetPack and the free tier of WordFence.

Some Useful Links:

• How to set up WP 2FA
• WPS Hide Login
• Jetpack free
• WordFence free
• Jetpack pricing
• WordFence pricing