1- Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins and themes as quick as possible.
2- Have a strong password.
3- Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
a- Block Access To wp-content Folder

The wp-content folder contains all your images, plugins and themes, it is a very important folder for your WordPress site. If this folder gets hacked they can delete all your themes and plugins on your site leaving your site blank.

To block access to your wp-content folder create a new htaccess file and save this at the root level of your wp-content folder.

Now add the following code in this new htaccess file.

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

b- Block file types being served from uploads and wp-includes

Having cleaned numerous WordPress hacks, in our experience most backdoor access files disguise themselves in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not. One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories. We will show you how you can use .htaccess file to disable PHP execution in a specific directory.

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<Files *.php>
deny from all
</Files>

Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.

Code Explanation: This code checks for any PHP file and denies access to it.

4- Delete themes and plugins you not using.
5- Deny access to the wp-config.php file.

Open your wordpress main .htaccess and paste the following code in there:

<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>

6= Disable Directory Browsing

If someone has access to your directories they will be able to view all the folders in this directory if you don’t have an index.html or a index.php file. You can stop this with htaccess by adding the following line the main .htaccess file, the one on the public_html. This will make sure that the hacker can not browse a directory even if an index file doesn’t exist.

# directory browsing
Options All -Indexes

7- Protect Against Requests That Haven’t Got A HTTP_USER_AGENT

You can stop this with htaccess by adding the below code to the main .htaccess file, the one on the public_html.

<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

Finally Good Luck!