...
Do not use the conventional admin
username for the site administrator. Be smart with the usernames and choose a complex password. Kalamuna has special domain address that needs to be used as user 1 email.
When possible, inactivate the user 1, as this is the user with the greatest privileges and very often bypasses all Drupal security layers. Use regular users with administrator
role instead.
5. Use Drupal security modules
Login Security: improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.
Password Policy: provides a way to enforce restrictions on user passwords by defining password policies.
Captcha: a challenge-response test most often placed within web forms to determine whether the user is human.
Automated Logout: provides the ability to log users out after a specified time of inactivity.
Session Limit: this allows to limit the number of simultaneous sessions per user.
Security Kit: provides Drupal with various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities.
Security Review: automates testing for many of the easy-to-make mistakes that render your site insecure.
...