1. Server-level protection, including blocking known dumb requests, limiting password attempts, blocking access to what is not needed, correct rights, etc. Fail2ban, UWF and that's it, plus Nginx.
2. Building a project based on Composer, where WP is a regular dependency, like everything else. Automatic deployment with the possibility of instant rollback. Checksum monitoring. Monitor performance, availability and logs.
3. Checking all the code that is being installed. Never use "zeroed" plugins and themes.
4. Using the best security practices when writing your code.
5. Using bcrypt or argon for WP passwords.
6. Using .env
7. Access to wp-admin only by IP or by IP via VPN (so that you don't have to update the whitelist if the IP changes).
8. In some cases, CloudFlare is at the entrance.
I don't use or recommend any plugins like Wordfence, iThemes Security, etc. They only slow down the site, don't do anything that can't be done without them, are themselves a vulnerability and create a false sense of security.

1) Wordfence
2) Reliable hosting
3) Cleantalk to protect against SPAM or Akismet
4) Clearfy
5) If you install zeroed plugins, carefully study their contents (a common problem that occurs)

For any sites:

• Protection against "hacking": here
  
• Spam protection: here
  

iThemes Security (formerly Better WP Security) are monsters.
I use Limit login attempts and have written my own solution - kwpl: Kill wp-login & Fix Login
by the way... Don't install null themes and plugins.
Update the VI and theme and plugins on time.
Do not let users into the admin panel, only the admin.
The admin account is cunning.
Monitoring of logs for artifacts
Backups of course.

Clearfy to protect
Kama Spamblock from autospam
These two are enough for basic protection. Of the more complex ones, I like All In One WP Security & Firewall
, it has everything to protect the file system, databases, and that's it.