Before you install the latest and greatest hyped WordPress security plugin out there, first, do some basic inventory of what lives in the DocumentRoot – depending on your setup, there may be several of these locations. Manually examine them closely using a shell or file browser.
Setup a @vultr VPS for $6/month and utilize the provided IPv4 address to enforce IP-based restriction in any and all your WordPress sites – most importantly, your /wp-admin/ and /wp-json/ areas. There are other uses for such VPS – the IP address stuff is just one of many.
Inventory your plugins & themes thoroughly – don’t need it? deactivate then delete it completely from /wp-content/plugins/ and /wp-content/themes/. Don’t let any be a sitting duck waiting to be exploited.
And lastly, ensure your site(s) are running the latest WordPress code base.