Securing WordPress is pretty simple and does not take much on your end to do.
When you first install WordPress you are prompt to create an account. If you used the default admin/pass account then you need to remove that account immediately. That account combination is used by bots to brute force log into your WordPress. I suggest not to even use the admin for a username. User something completely different. As for your password be sure to use a strong password. With uppercase lowercase numbers and special characters. The stronger the better.
Remove any themes or plugins you are not using. Having them sit on your site increases your chances of having more possible exploits. Also, don't download illegal themes or plugins. They are using riddled with malware.
Next, you will want to keep your site updated. Keeping your WordPress site updated, will pretty much prevent 99.9% of the known hacks out there. This is the biggest reason why WordPress sites get hacked and can have a bad name in some eyes. It's because people do not keep their website up to date. The easiest way to keep your website updated is by using a plugin called Companion Auto update – https://wordpress.org/plugins/companion-auto-update/. I have tried several auto-updating plugins, but I found this one to be the only reliable and stable plugin.
One reason why some people do not have their website auto update is because they are worried the new update will break their site, This issue was more common a few years ago, but it rarely happens now. I can remember the last time an update broke my site. But I can tell how often a clients site gets hacked because they do not keep it updated. Don't believe? Don't update your site. You will see how long it will take before your site gets hacked. Hopefully, it's an easy hack to fix. Sometimes they are very tricky to clean up.
Now there are more tin foil hat things you can do to protect your site, but I have yet seen any benefits from them. Most hackers are lazy and will have scripts to automate things. They will either look to brute your login with easy or weak login credentials or looks for lazy website owners who don't keep their sites updated. With automated software for them, that is the much easier approach.