ATTENTION : Securing your Wordpress installation is important to prevent hackers from installing malware on your systems, stealing information/passwords from you and/or your users.
To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.
Updating Plugins : Go to Plugins / Installed Plugins; the list of all your plugins will appear. If a certain plugin is not on its latest version, WordPress will let you know
Updating Themes :Go to Appearance / Themes, and you’ll see all your installed themes there. The outdated ones will be marked just like plugins were. Simply click on “Update now.”
BEST : Update every day. Your WordPress core software and plugins should be updated every 24 hours. This will protect you from "Zero-Day" hacks. Hackers are busy attacking websites every day, so you need to be equally vigilant defending yours.
3. Choosing your username/password
Try to be creative and do not use admin as your administrator username. Use hard and long passwords with combinations of both upper/lower case letters, symbols, and numbers. Change them every now and then.
BEST : Use only strong passwords. 32 characters is a good length. 64 is great. This should apply to both your database password AND your account passwords.
4. Do not use nulled/free unofficial software
Nulled softwares often have backdoors/malware in them. Downloading themes/plugins outside Wordpress themselves pose a higher risk that the author may have backdoors/malwares written into them.
5. Using Wordfence plugin
The plugin is free and does a decent job, but will not protect you entirely from malware especially if you do not follow the other steps.
6. Changing wp-admin URL
Changing wp-admin URL helps prevent hackers from easily try to break into your wordpress installation via the www.yourdomain.com/wp-admin URL. Wordpress.org has a nice article on how to achieve this