To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.

Updating Plugins : Go to Plugins / Installed Plugins; the list of all your plugins will appear. If a certain plugin is not on its latest version, WordPress will let you know

Updating Themes :Go to Appearance / Themes, and you’ll see all your installed themes there. The outdated ones will be marked just like plugins were. Simply click on “Update now.”

BEST : Update every day. Your WordPress core software and plugins should be updated every 24 hours. This will protect you from "Zero-Day" hacks. Hackers are busy attacking websites every day, so you need to be equally vigilant defending yours.

3. Choosing your username/password

Try to be creative and do not use admin as your administrator username. Use hard and long passwords with combinations of both upper/lower case letters, symbols, and numbers. Change them every now and then.

BEST : Use only strong passwords. 32 characters is a good length. 64 is great. This should apply to both your database password AND your account passwords.

4. Do not use nulled/free unofficial software

Nulled softwares often have backdoors/malware in them. Downloading themes/plugins outside Wordpress themselves pose a higher risk that the author may have backdoors/malwares written into them.

5. Using Wordfence plugin

The plugin is free and does a decent job, but will not protect you entirely from malware especially if you do not follow the other steps.

6. Changing wp-admin URL

Changing wp-admin URL helps prevent hackers from easily try to break into your wordpress installation via the www.yourdomain.com/wp-admin URL. Wordpress.org has a nice article on how to achieve this