If you are #selfHosting #WordPress and have access to the underlying filesystem, the best thing you can do to secure WP is change the permissions on your WP tree so it isn't writable by your web server user, except for the upload and temporary directories that WP needs to write into.
This prevents updates through the WP dashboard, so you need to regularly check for updates and loosen permissions while applying them.
I have a shell script for toggling permissions: https://gist.github.com/jikamens/9037496f01a4343578167a99a7ec78e6
#infosec