Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.
To improve the security, please follow the below steps.
Stay updated
Update theme and plugins, to turn on automatic update.
https://codex.wordpress.org/Configuring_Automatic_Background_Updates
Delete the default ‘admin’ user.
Delete the admin user and create new users with admin rights.
Delete the default post and page.
Delete the default post and page.
Change Comments Settings
Change the comments settings under Settings => Discussion
Remove Unwanted themes / plugins
Delete any unwanted themes and plugins.
File / Directory Permission
Change all files permission to 644 and directories permission to 755.
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
.HTACCESS Control
ServerSignature Off
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
# Secure .htaccess
<files .htaccess>
order allow,deny
deny from all
</files>
Secure wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Disable File Editing in wp-config.php
# Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);
For more information please check below link
https://codex.wordpress.org/Hardening_WordPress