Unfortunately we live in a world where people would love to take control of your site. There are different avenues that hackers can take into a site. Often plugin updates are for security fixes so make sure that you always keep your plugins, themes and the WordPress core itself updated. That way if there are any security vulnerabilities that have been discovered and patched, you’ll be secure.
Usernames and passwords are another area to be secure. Never use admin as the username. This was the WordPress default for years and is sometimes still used. If your site has a user named admin, create another user (you can do that in the user section of your WordPress dashboard) and give the new user the administrator role. Then log in as the new user and delete the admin user account. You’ll want to attribute the posts that the old admin user had to your new account.
Some people also recommend having a different display name than your username. I just launched a new site that displays my name, but has something completely unrelated for the username.
For passwords, make it very secure. I use the 1Password app to have different, strong passwords for every site and app that I use. That way they are hard to guess, won’t let you into other site if one is compromised but I can still access them.
You can also disable the theme and plugin editors for your WordPress admin. That way no one can add code to a theme or plugin that way. There’s a post at http://www.wpbeginner.com/wp-tutorials/how-to-disable-theme-and-plugin-editors-from-wordpress-admin-panel/ that can show you how to do that. You could still make edits via FTP or your web host’s control panel.
Many people use and recommend the WordFence Security plugin (https://wordpress.org/plugins/wordfence/). I have little experience with it, but it does have good ratings with almost a million active installs of it.
I also host my site at WP Engine. The monitor their sites for suspicious activity and provide protection against some types of attacks like denial of service ones. They also will make emergency updates to the WP core, or a plugin in the event there is a sever security issue discovered. Many “managed” WordPress hosts provide similar services. The VaultPress service from Automattic also provides malware monitoring in addition to backups.
Backups are vital for combating hackers too. You need regular backups. How often depends on how often your site is updated. WP Engine backs up my site daily which works well for me. It’s also a good idea to keep backups in a few different places. Download them to your local computer. Store them at Amazon in the S3 service or another cloud platform. Don’t keep all your data in one place.