WordPress powers over 40% of the web. That makes it an attractive target for automated attacks. But most breaches don't stem from sophisticated hacks; they come from basic mistakes that could have been avoided.
Update, update, update
The single most important thing you can do. WordPress core, plugins, and themes. Most exploited vulnerabilities already have a patch available. Not updating is like leaving your front door unlocked.
Change the login URL
/wp-admin and /wp-login.php are known to every bot on the internet. A plugin like WPS Hide Login changes the URL with one click. Doesn't eliminate the risk but reduces the noise significantly.
Two-factor authentication
Google Authenticator or similar. Takes 30 extra seconds per login but stops practically all brute force attacks. If you only do one thing on this list, make it this.
Limit login attempts
Limit Login Attempts Reloaded is free and blocks IP addresses after repeated failed attempts. Simple and effective.
Passwords
"admin" with password "admin123" is still among the most common combinations bots try. Sounds absurd, but the statistics don't lie. Use a password manager and generate strong passwords.
Five more in quick format
Disable XML-RPC if you don't know you need it. Hide the WordPress version (remove the generator tag). Set correct file permissions: 755 for directories, 644 for files, never 777. Install Wordfence or Sucuri for monitoring. And run regular backups with UpdraftPlus, not to prevent breaches but to recover quickly when they happen.
None of these measures are complicated. Each takes maybe five minutes. Together they make an enormous difference.