This morning one of my other WordPress installations emailed me saying some IP address from China was trying to login as user admin. They got locked out because I have limit login lockout to lock people out after so many unsuccessful. I use Wordfence Security plugin (https://wordpress.org/plugins/wordfence/). I did double check all it’s recommendations to make sure I did everything.
Also a good idea to have your entire WordPress site backed up off server. I use UpdraftPlus Backup/Restore (https://wordpress.org/plugins/updraftplus/) and have multiple versions stored over on Amazon S3.
These two plugins will secure you to make you an incredible hard target to hack. Hackers will most likely just move on to someone else that hasn’t secured their website.