1. Keep WordPress core files, themes and plugins up to date.

To setup auto update for core files, themes and plugins, use these codes to functions.php

add_filter( 'allow_major_auto_core_updates', '__return_true' ); //automatic updates for major updates
add_filter( 'auto_update_theme', '__return_true' ); //automatic updates for all Themes
add_filter( 'auto_update_plugin', '__return_true' ); //automatic updates for all plugins

2. Secure usernames and passwords

Do not use “admin” as username and do not use weak passwords.

3. Block web access to the wp-includes folder

Add this code in .htaccess:

# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress

4. Blocking web access to wp-config.php

Add this code in .htaccess:

<files wp-config.php>
order allow,deny
deny from all

5. Disabling File Editing in WordPress Admin

In wp-config.php:

define('DISALLOW_FILE_EDIT', true);

6. Limit Login Attempts

Use the plugin called Limit Login Attempts to easily limit the login attempts

7. Use Two-Factor Authentication

Use Google Authenticator plugin for this