...
using good judgement when creating new users (do they really need to be an admin or will a lower role suffice?)
not disabling 2FA simply because it is easier to not use it
not installing questionable plugins which could pose a security risk
More information is available at https://wordpress.org/support/article/hardening-wordpress/