Ultimately, repair hacked wordpress site will also inform you that there's no htaccess inside the directory. You may place a.htaccess record in to this directory if you want, and you can use it to handle the wp-admin directory by Ip Address address or address range. Details of how you can do this are plentiful around the internet.
Use strong passwords - Do your best to use a password, alpha-numeric, with upper and lower case and special characters. Easy to remember passwords are also easy to guess!
One thing you can take is to delete the default administrator account. This is important because if you don't do it, malicious user already know a user name that they could try to crack.
What's the best way? Out of all of the possible choices that are available today, which one is appropriate for you and which Click This Link path should you choose?
Oh . And incidentally, I was talking about plugins. Make sure it's a secure one, when you get a new plugin. Don't install any plugin because the owner is saying that plugin can help you do that or this. Maybe use a test site to check the plugin, or perhaps get a software engineer to analyze it. This way you'll know it is not a threat for you or your business.