Hello Friends,
WordPress websites mainly hacked or infected, it's due to directly access via public_html directory from hosting side. so it need to replace the data access position.
there is more plugin for security, but mainly we use only "wordfrence" tool for security.