The Jetpack (a plug-in) blog has a pretty good WordPress Security for Beginners post which talks about what you need to do to keep your blog safe.

The TL;DR:

• choose a good host
• keep software updated (WP, plug-ins, themes)
• use secure credentials
• off-site backups
• protect against brute force attacks
• scan for malware
• monitor for downtime
• remove unused / not-maintain plug-ins or themes
• use 2FA