
The same principle applies as to services
To keep a WP site reasonably safe without too much hassle:
1 - do not install plugins and themes you don't need. Like services on a server, all you do is enlarge the attack surface. Keep it simple, and as bare as possible.
2 - do not use defaults for admin name as well as admin login path - from what I have seen so far in my logs, it's about the first thing an automated script tries (the next test is usually the admin path for a Joomla site). The simplest way to achieve this is to install one of the few plugins you ought to have, All in one WP security. It works, and it guides you through cleaning up your site. Be careful with auto-lockup of the front door, though, someone can use this for a Denial of Service on your admin ability.
3 - install a one time password (OTP) system like Google Authenticator. A lot of WP sites don't run SSL, which means that an admin login can be captured in transit. Using an OTP means you add a second password to the logon that changes every 30 seconds. I used the WP Google Authenticator plugin by Julien Liabeuf, but there are a few out there. No worries about Google backdoors, by the way, this is an RFC standard based protocol. Search for "Gauth" if you want other instances of this (the project lives on Github). The "Google authenticator" app which you need to generate the numbers to enter is freely available for iOS and Android, possibly for other platforms too.
4 - do your maintenance (update, review log files and make backups). As I'm loath to provide data to Google I use Counterise, which provides me with insight what sort of attempts have been made to break the site. If they frequently come from one location I blacklist it (resources for that can be found in that All in one WP Security plugin).
Once you've done 1..3 you ought to be quite safe, especially if your site doesn't allow comments.