WordPress.org (self-hosted) software is very secure. The apparent WordPress security flaws often have nothing to do with the software itself but rather problems with the host, hosting setup or configuration of the software. One reads about WordPress Sites being hacked however it is usually a SQL injection or a result of incorrect folder and file permissions being set on the host.
Here are five steps that will help your WordPress powered website be even more secure
WordPress, Theme and Plugin Updates
The most simple security task is also the most important; occasionally there will be updates to core WordPress software as well as Plugins and themes. Fortunately updating to the latest version is as simple as clicking the upgrade button when it is indicated in your WordPress dashboard that updates are available. As soon as you see that an update is available the install the update!
Secure Passwords and Usernames
Don’t make it simple for people or software to guess your username or password. Since WordPress version 3.0 the ‘admin’ username is no longer default (which it always used to be the default) therefore don’t use the ‘admin’ username. Rather use your name or something else you can remember.
For passwords use a password longer than 10 characters comprising uppercase and lowercase letters as well as numbers and characters.
Remember that usernames and passwords aren’t just used to access your WordPress dashboard (i.e. example.com/wp-admin) but are also used in wp-config.php for database access, for FTP access and for access to your cPanel or hosting account.
Folder Permission Settings
Incorrect host folder and file permissions will result in access and upgrade problems if too stringent and open to hacker access if too insecure. 
SALT for WordPress Security
In wp-config there are a few lines reserved for use by SALT. It takes a few seconds to enter the necessary SALT information and makes your site more secure from attacks via cookies left on computers (the SALT data are used to further encrypt data in cookies). Go to https://api.wordpress.org/secret-key/1.1/salt/ in your browser and replace the SALT section in your wp-config with the values given in your browser. The SALT section will now look something like:
define(‘AUTH_KEY’, ‘9Yk0y1/<K`~T-XRoTtMy7O}?qs;~W7:9pI_)~|4Kj)LD!|<#nUJQFh$ mD|R$3′);
define(‘SECURE_AUTH_KEY’, ‘Dyq0w3!nTVm=}[geju3nvh!xxXf=.}f!+[g_ -]e4N0z#9gPh3]5ng[/vkH_4>(B’);
define(‘LOGGED_IN_KEY’, ‘yxm=bUUt3?j“biLLl|x7]Wz|iVM.+$83^_%jWmy^~|nk+Wv+;Iu5&s=kt)(6ov!’);
define(‘NONCE_KEY’, ‘rwO)A#HZ/~xau@,/-oMk99m n&@<iwpm7@S]mv}r_<=h!XgriqqR>f}spOYT|p8,’);
define(‘AUTH_SALT’, ‘F_1{>5JX*N!F9x/7rfrJz|]-2e$m$r-/:j:jx}L$NtNQD_>2|VvW)8`)[J?VD0+2’);
define(‘SECURE_AUTH_SALT’, ‘$mWP`VoKz)yn–Y(lLfv;l}$1/Gw0X/b1m#ajX|?s^A<3xg .1Sm-YEB{3g%XF’);
define(‘LOGGED_IN_SALT’, ‘Z)R,B?M9oulWjYNWkpWz,]w+=3OO!;:mA 7XbwH[Z;5~Ok=sLL_Z*R|!aJo(Ri’);
define(‘NONCE_SALT’, ‘<-dE+cNHS;gOP/aCGc|f!+|ejlqf>LJ<9,o7T~HrDzwz;th.87!{}S4N+z5_Jh/q’);
MySQL Table Security
By default, WordPress installs with the MySQL tables being prefixed with ‘wp_’. As so many millions of Websites use WordPress and the significant majority use the default prefix there have been occurrences of SQL-injections by the hackers assuming the default table names. By changing the table_prefix value in wp-config.php from ‘wp_’ to anything else (e.g. ab7_) it will still be simple to identify the WordPress tables whilst reducing the chance of vulnerability to a random SQL-injection attack.
In addition to the above I thoroughly recommend using a security certificate (HTTPS) especially for any times that your username and password are entered (e.g. logging in to WordPress) and whenever any contact details and financial details are entered by visitors to your Site. Attaining and installing a SSL certificate can be complex and the ability to install a SSL certificate depends on your host.
You could also add to the list, “use second factor authentication” instead of standard passwords.
There is a new website authentication method shieldpass.com where you buy cheap access cards and then install the WordPress Plugin. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.