1) Up-to-date WordPress Version and All Plugins
This is number 1 for a reason. The most important step you can take to ensure your WP site is safe from exploits is to keep the WP version and all installed plugins updated to the latest version. Every time WordPress gets updated, it comes with new security patches.
2) Website Backup
Either install a backup plugin that creates a backup of all your WP files and database, or schedule a manual backing up system at server level so that you can restore your website to the latest version should it be hacked.
3) Custom Login URL or IP whitelist
Every WordPress site has the same login url, which is your url followed by /wp-admin. All hackers know this, so it leaves your login screen exposed to whoever wants to try a brute force attack. Always customise your login url to something unique, eg. /mycmslogin. Alternative approach is to allow access to /wp-admin url only from a predefined list of IP addresses (eg. from your home or your office).
4) Change the Name of the Admin User
The default WordPress user comes with the name admin. Hackers know this and use the combination of this predictable username with random passwords when trying to break into your site. Always set up a unique admin user name or delete the default user called admin.
5) Anti-Spam Plugin
Install the Akismet plugin that helps defeat spam attacks that target comment boxes below your blog post articles.