Securing your WP site properly is not an easy task, especially if you use many plugins.
There are some quick wins which you can implement which will secure your installation from rookies.
Disabling file edits
Most seen attack on WordPress sites is brute-force attack on wp-admin login form.
Hackers use a number of dictionaires and loop through combinations of words. So if you use some known word or combination your site could get breached pretty easily.
So first update passwords for all users inside your installation, and use something complex.
As soon as hackers obtain access to your installation they’ll try to insert malicious code inside wordpress template files.
You can modify template files by visiting Appearence -> Theme Editor.
To disable that on your server open file wp-config.php at root of your installation and copy paste these 2 lines inside:
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
Now when you save that file, this option for Theme Editor is gone.
Also adding new plugins is disabled.
When you need to add some plugin you visit that same file and comment out these 2 lines. When you’re done you add them back.
Free Tier includes 1 server and 2 sites.