Secure WordPress, step up your game with HTTP headers
WordPress has a very reasonable track record when it comes to security. Using well tested plugins and adding a security plugin like Wordfence, Sucuri or Bulletproof make up for a secure experience. Keeping up with updates for all software components and use two-factor authentication. Multiple best practice checklists published on the internet will tell you this.
What is not very well known in the WordPress community are the diverse options the HTTP protocol has to improve security. The protocol we all use to communicate between webserver and browser. It can tell every visiting browser what resource to expect and what TLS encryption is required.