Comb through the list of users with access and be sure to remove any former employees/admins
Check permissions carefully to make sure users have the appropriate access rights
Disable file editing in the admin using wp-config.php
Isolate user account for site from others
Make .htaccess inaccessible to site user (but accessible to www-data)
Make wp-config.php read-only
Remove any unused plugins
Check security reports on existing ones for outstanding or frequent issues
Check when plugins were last updated by author in repository - old / un-maintained plugins candidates for replacement or removal
Reduce permissions on DB account for site to SELECT / UPDATE / INSERT / DELETE (you will need to unlock when adding or updating plugins that use custom tables)
Setup wp-cli to automatically update plugins nightly (wp-cli plugin update —all)
Setup wp-fail2ban plugin, use wordpress-hard profile.
Globally disable access to xml-rpc.php in Apache config (403, helps prevent brute force and other quiet attacks) - unless actually used.
Globally disable access to any .log or .git files in Apache config
Consider WordFence or Sucuri plug-in for file integrity checks / monitoring
Setup daily backups of site