While I provide support, I see a lot of Joomla sites. Most of them can improve their security by some simple steps. Here are my favorite tips to secure a Joomla site.
Don't use the admin user. If the username is known, it is much easier to guess the password. There are a lot of brute force requests to the login form which are usually undetected. You could see that in your server log files, but I guess you don't know where they are located, or you don't check them. So create new superuser accounts and delete the admin account.