There is a part of config-sample.php that's headed'Authentication Unique Keys.' Four explanations that appear inside the block will be found by you. A hyperlink is fix hacked wordpress inside that section of code.You have to enter that link into your browser, copy the contents which you return, and change the keys you have with the specific, pseudo-random keys given by the website. That makes it harder for attackers to create a'logged-in' dessert for your website.
Do not depend on your internet host - Many people depend on their web host to"do all that technical stuff for me", not realizing that sometimes, they do not! Far better to have the responsibility lie with you, rather than from your control.
Move your wp-config.php file up one directory from the WordPress root. WordPress will look for it there if it can't be found in the root directory. Additionally, nobody else will have the ability to read the document unless they have FTP or SSH access to your server.
Can you view that folder Imagine if you visit WP-Content/plugins? If so, upload this blank Index.html file into that folder as well so people can't see what plugins you have. Someone can use that to get access because even if your version of WordPress is current, if you're using a plugin or navigate here an old plugin with a security hole.
Those are three things you can do to keep WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your entire account.