I recommend these basic things:
- Never touch core files!
- Always update core and plugins
- Use strong passwords
- Don’t use abondoned plugins or themes
- Use a well maintained security plugin (like wordfence?)
Of course you can use more security tools and settings for server e.g., but this should be the basic.
Maybe there are more things to do for a good start I forgot.