About a year ago I was developing a website for my children’s school, setting up the look and feel whilst waiting for some content, when the school contacted me to say it had been hacked. The html index page had been replaced and it was impossible to log in to wordpress. Initially I thought that they had got in through ftp, particularly as there was no link to the wordpress site. I soon realised that they had must have just scanned school websites for wp-admin, and then cracked the password (despite it being strong).
The first and simplest thing I found was to replace the default admin user with a new one. The username needs to be difficult to guess, and not used to post so does not appear on the site. This would mean that both the admin username and password would need to be cracked in order for the site to be hacked. I also installed the recommended, free in basic form, Wordfence security plugin. http://www.wordfence.com/.
To give an idea of the importance of changing the default admin username, this is the Wordfence report on how many failed admin logins there were over a short period.