I just tranlated slides from my WordCamp speech to English (it is the first version of translation, there may be many grammar mistakes). You can find many security tips there.
@picwellwisher12pk I don’t like to move wp-config up. This action prevents reveal information when server stops to interpret PHP code and shows source code. There was a bug in Plesk years ago that allows to show source code - this is the origin of this technique. If you move wp-config up, you need to allow scripts to access directories outside web. It may pose a greater risk.
Changing wp_ prefix is good advice, but it prevents only against simple bots and script kiddies. If SQL injection is possible, you can get correct prefix easily. Good practice is to block queries including “union” and other suspicious SQL commands.