For website security, I will install Wordfence Security and All In One WP Security & Firewall
Wordfence Security Plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware. In the setting, I will set limit time of view to ensure no over refreshing on the pages, number of sign in before blocked, block IP address username that do not exist.
You are able to view Live Traffic, where the traffic is coming from which site and you can block that IP address or Network and you can also run WHOIS to check the IP address location.
You can setup Performance Setup by Enable Basic Caching which will increase speed 2 to 3 times or Enable Wordfence Falcon Engine which will increase speed 30 to 50 times. I haven try it, as leave this as disable cause I am using WP Fastest Cache Plugin.
You are able to view Blocked IPs, Password Audit, Cellphone Sign-in, Country Blocking, Scan Schedule, Whois Lookup and Advanced Blocking.
All In One WP Security & Firewall Plugin provides a comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
All In One WP Security & Firewall Plugin Setting is able to control files like .htaccess file, wp-config.php file.
There is lot of setting needed to be done such as removing WP Generator Meta Info to prevent hacker knowing your WordPress version.
User Accounts is to let you know if your username is unique and don’t use admin as your default username. In User Login, you should enable Login Lockdown and Force Logout at minimum 180 minutes depending on you working on your site.
If your site is not a site will you allow visitors to register User Registration, I will recommend you to enable it and you can approve the username that are going to login to your site. If your site is an ecommence and it is enable, your customers will have to wait for you to approve them before they can start to shop for products and services.
I will normally change the Database Security, remember to do backup before you do this, your site may crash if you do not know how to do it.
For Filesystem Security, ensure the recommended action are taken action to prevent hacker to input coding in your files. I will also enable the WP File Access to prevent access to readme.html, license.txt and wp-config-sample.php.
For Firewall, I will enable Basic Firewall Rules, Additional Firewall Rules, 5G Blacklist Firewall Rules, Internet Bots, Prevent Hotlinks and 404 Detection.
If you want to change your login URL, this is the right place call Brute Force that you can change your login page url but it may not work with some plugin that you may want to manage multiple WordPress Site like Managewp Plugin. I will enable Login Captcha and Honeypot.
Remember to enable SPAM Prevention and Scanner.