-Hide all those wp-admin/ and phpmyadmin/ URLs
-If possible, whitelist your incoming traffic with a firewall
-Make all your admin/root account names (not only passwords!) hard to guess
-...and remember that this won't help if you use that account to write any post or have the same e-mail used anywhere else
-...ooor if you saved the credentials to your Google account and they leaked
-Learn more about UNIX file permissions and the principle of least privilege, and consider them while maintaining your website - maybe you don't really need that WordPress plug-in store to work if you upload the plugins via SFTP anyway
-Buy that SSL certificate. Seriously.
-Force all of your admins to use hard to break passwords and 2FA by design
-Keep your stuff updated, even (or maybe especially) those barely used WP plug-ins and your server application
-Monitor and back-up your stuff
-Read more (incl. the generic stuff like XSS or CORS misconfiguration prevention), I'm a noob lol

If you already donated to human rights funds of your choice and still want to help someone, you can donate to me by paying whatever you want at my Bandcamp page. Thank you in advance and good luck!