I have now been using Wordpress for years. Only hacked once and that was caused by a rogue plugin.
Do not use "admin" for the name of your admin account.
Ideally use htaccess to whitelist your IP address for /wp-admin (I do this for my most important sites and the logs do report a lot of people failing to brute force their way in).
Install Secure Wordpress and Wordpress Firewall plugins
Use a trusted theme - many old themes may look nice but the vulnerabilities are rarely patched
Ideally lock down your FTP - I use Cpanel and my host added the feature where you whitelist your IP for FTP access (you can give global access for a limited time too).
I have experienced to hacks, one was a trojan/virus on a PC which sniffed FTP details and then simply uploaded its own files. The other was an image upload plugin for Wordpress which has a vulnerability.
Oh yeah, and backup often. Ideally automated backups to a non-public folder and download them too.