I have been a victim of website hacking on because of my previous hosting, so it doesn’t matter how you secure your site if your hosting isn’t secure, you’d still get hacked. That’s the first thing you have to see to it.

Then the basic thing I do for most of my sites is to install SSL + CloudFlare + reCaptcha v3 (for spams).

For advanced security, WordFence Or Sucuri based on my experience. I only use them for enterprise clients.

Other habits,

• Monthly updates and backups (adjust timing accordingly)
• Rewrite common URLs
• Don’t use admin as user
• Rewrite theme names (use wp hide – vulnerabilities of wp, themes and plugins are constantly targeted)

Hope that helps.