There are a few key steps to keeping WordPress secure.
Do not disable WordPress automatic updates.
WordPress itself sometimes has security issues that are fixed in updates. Though WordPress' security and code quality has increased over recent years, there are still occasional vulnerabilities. Thankfully, WordPress has added an automatic update system that is enabled by default, resulting in very few WordPress sites remaining vulnerable to security issues in WordPress core.
Use trusted plugins and themes, only install plugins you absolutely need, and keep plugins and themes updated.
The most common way WordPress is compromised is through insecure plugins and themes. There are thousands of WordPress plugins and anyone, including novice developers and developers with no security knowledge, can write and publish WordPress plugins.
Even though WordPress automatically updates itself, WordPress does not automatically update plugins and themes. As a result, even once a vulnerability in a plugin is discovered and fixed by the developer, any WordPress site using that plugin remains exploitable until the WordPress site owner manually updates plugins through the WordPress dashboard.
Use a Web Application Firewall such as HeatShield.
A Web Application Firewall (WAF) inspects the content of incoming requests and blocks malicious requests before they cause damage. A firewall rule set like the OWASP Core Rule Set, which is used by HeatShield, is flexible and well-tested so that it can even block zero-day exploits that have not been fixed yet in WordPress, plugins, and themes.