Try using secure method to prevent session hijacking Attack. Session
Id should change/get refreshed evert time user get login and log out.
WordPress doesn’t use PHP sessions, and doesn’t have a static session ID. You must be using a plugin or theme that is.
login credentials should be encrypted at code level.
WordPress’ login credentials are encrypted. If you’re using some sort of custom system then that’s something its author will need to address.
whene-ever a url manipulation is done at user end it should automatically re-direct to application developed error page.
WordPress does redirect to a standard 404 page.
upgrade to latest version of jquery (3.3.1) (WP uses 1.12.4 and it is secure but is it possible to upgrade without breaking admin and other features relying on jQuery?)
It probably will break stuff. Don’t make any attempt to replace WordPress’ jquery.
Honestly, those first 3 issues sound like problems introduced by 3rd-party code you’ve developed or included (alongside WordPress, or in themes/plugins), and not issues with WordPress itself.