Not much tbh. Disabled every port except 80/443, moved ssh to a non-standard port. Have unattended-upgrades switched on to grab security updates automatically... fail2ban, and the rest is obvious: making sure all non-essential app files are stored outside of public_html, being careful about sanitising user input, strictly limiting file permissions concerning public directories, etc. When I have an app worth hacking I'll invest more time into this, but until then it's a bit of a mute point.

Not a coder, so i rely on hosting providers. Managed WP hosting, they say they take care of security. I certainly hope that they do.