If you want a quick, cheap laugh in a cybersecurity community, say the words "Secure WordPresss", however there are steps you can take to not be the lowest hanging fruit. Take these simple steps to utilize a hacker's goldfish-like attention span. 😉
Use Loginizer's bruteforce protection. Manage your XML-RPC with one of many free plugins. The Securi plugin offers a lot without premium, it will make suggestions, take them. Check out securityheaders.io and don't stop until you have an A grade. And it should go without saying, but HTTPS people!
Let's start with HTTPS, "why do I need an SSL/TLS certificate when I don't sell anything?" Well the big one is obfuscating your user/pass from anyone within sniffing range. Also there have been proposed changes for some time and soon browsers will make a lot of noise if your site does not have one.
Next, your WordPress install should come with Loginizer, if you are not the type to fail at logins repeatedly, make very strict policies for lockouts from bruteforcing attempts. This may be a good place to start using a password manager.
Delete the admin user after making another user with admin privileges. 75% of the brutforcing attempts I have seen just use admin as a username. 24% were the domain name. Those that enumerated the users, thanks to good bruteforcing policies, are blacklisted.
Use really long complicated passwords, mine use; letters, numbers and special characters. Since they are larger than 20 character long, this really requires a password manager.
There are many plugins that you can use free to lock down XML-RPC. If you don't use XML-PRC, disable it, or at the very least don't allow pingbacks to it.
Securi plugin for WordPress is also nice, plenty of goodness in the free version. It will check out your configuration and give you good suggestions about file permissions etc.
Grade your WordPress install here, https://securityheaders.io/ with a little research and patience you can bump your grade to an A. You will be capped because if you create totally secure headers you will break some WordPress functionality. This is mostly the case with Content-Security-Policy.
default-src 'self'; img-src 'self' data: https: *.gravatar.com www.google-analytics.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: www.google-analytics.com www.googletagmanager.com; style-src 'self' 'unsafe-inline' https: fonts.googleapis.com; font-src 'self' data: https: fonts.googleapis.com themes.googleusercontent.com;
The above seems to be the best Content-Security-Policy header that will still allow WordPress to be functional.
This is really important, use the most up to date PHP, update plugins and WordPress itself as soon as updates are available. Disable and delete any unused plugins, and keep the number of plugins to a minimum.
Overall, the process is not hard and though not totally secure, you can minimize the chances of getting your site defaced or worse. Make frequent backups and incremental changes, especially when editing .htaccess, also don't be afraid to blacklist ips!