This is going to be a small section and I’ve already mentioned that in the security mindset, but it’s so important that I couldn’t not write about that. I wasn’t joking when I said you should keep your code updated. Probably 98% of all WordPress “hacks” come from vulnerable themes or plugins that have not been updated by the website’s maintainer.
Seriously, not updating your plugins is going to get you in trouble. Nobody said that owning a WordPress website is going to be effortless, and if they did – tell them they are idiots. Always make sure you plan for having a staging website to make updates on first (you don’t update straight away in production, do you?). Update regularly, like at least once or twice a month.
Also, if your site is anything more than a worthless blog (and especially if you store sensitive personal data), get a good security plugin. There are many options: Wordfence, Sucuri, etc. They will notify you and add firewall rules if a vulnerability is discovered in any of the plugins on your website.