General recommendations for keeping wordpress secure, in addition to keeping wordpress itself up to date:
1.) Update all plugins, or remove the ones that you are not using. We recommend removing ANY plugin that you don't specifically know what the use is for. If a plugin has not been updated by the developer in the past 6 months, don’t use it.
2.) Update ALL themes, and/or remove the ones that you are not using. If a theme has not been updated by the developer in the past 6 months, it's considered to no longer be secure and should not be used.
3.) Change your Wordpress Admin login, using a secure password – which is at least 12 characters long, all random (no words or names), with upper and lower case letters, numbers, and special characters. Do not use the username admin - choose a unique username.
4.) Protect your wordpress admin login page using the .htaccess file or a reputable wordpress plugin.