You work exclusively with VPS or dedicated hosting. This is a matter of choice, as you may use Docker and skip this step, but in general, you don’t like shared hosting.
In there you follow some security rules presented on Linode website
As well in this article.
Then you make sure all login attempt are kept in auth.log either from SFTP and SCP or from SSH.
Then you keep your eye on wtmp and btmp logs as well as well you have skills to check access logs.
Then you configure the firewall called iptables using csf/lfd that sends emails to me in case of possible problems.
Then you have a cronjob that per minute checks if all your services are up, and if no, you receive the email.
Possible you run some root-kit hunter, OSSEC….
On WordPress level you try to follow these rules:
One great resource to read is: https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
In order to perform static plugin source code audit, you use these tools:
RIPS: A static source code analyzer for vulnerabilities in PHP scripts
PHP-sat: Static analysis for PHP
Yasca: It could best be described as a “glorified grep script” plus an aggregation of other open-source tools.
At least one of the above you use because on every plugin update the there may be a hidden bug.
You don’t use dynamic code analysis because these tools may take great resources, and the above tools are smart to predict and issue warnings on any possible nonsecure code (and there are about 4-5 functions in PHP that can do nasty things.)
So keeping the eye on plug-ins, and theme updates in the automated way you are informed of possible risks and your WordPress is more secure.