Most of us that have WordPress websites have at least once had one of those sites hacked, defaced, or compromised in other way.
The thing is that WordPress as well as most of plugins are Open Source. Most of threats can be prevented by simply updating WordPress to latest release, and keeping your plugins safe. Before you install some of them, check if they are potential security risk, or use plugins from trusted publishers. Also, always remove plugins you don’t use.
Most of security advice you can find at WordPress Codex. Most of stuff written at linked page should be implemented. It will keep your WordPress safe, and if you use shared hosting, it will keep your server neighbourhood safe.
Here I would like to pay closer attention to file permissions. At WordPress Codex, you will see that folders should be 755, and files should be 644, but there are some things that you can tighten up a little more than this.
For example, why would you let somebody write permissions to your wp-config.php or index.php files. So, basically you can set 400 file permissions for wp-config.php, index.php and wp-blog-headers.php.
Also, for .htaccess file, you should use 404 file permissions.
Now, there is a small problem with this. If you try to change these file permissions via FileZilla for example, it would set wrong permissions, but you wouldn’t get any notification about this. So, if you try to set file permissions to 400 and 404, FileZilla would set it as 600 and 604 respectively.
So you need to do this via File Manager from cPanel or other web hosting panel. Just keep in mind to tick “Show Hidden Files (dotfiles)” option at start up prompt.
Once again, your site will be pretty safe if you just don’t let it collect dust.