My best tips for a secure WordPress, besides the obvious, are the following:
- Use a password manager
- Use 2FA inside WordPress
- Check your off-server backups regularly if they work as a site restore
- Update your workstations, phones, tablets, the works, all the time. You should want to the first the update your OS to a newer version
- Limit user rights vigorously. Does your client really need to have admin rights, for instance?
And lastly, educate yourself about web security 24/7. Understanding everything that goes into a secure WordPress site is never enough. Sounds dramatic, but trust me, it is dramatic when your site gets hacked.