While I provide support, I see a lot of Joomla sites. Most of them can improve their security by some simple steps. Here are my favorite tips to secure a Joomla site.

Don't use the admin user. If the username is known, it is much easier to guess the password. There are a lot of brute force requests to the login form which are usually undetected. You could see that in your server log files, but I guess you don't know where they are located, or you don't check them. So create new superuser accounts and delete the admin account.

To prevent all those brute force attacks for the admin user, I created a small plugin. If it detects the login attempt with the username admin, it will kill the PHP process. If you install it, make sure you don't need to log in with the admin user. That is no longer possible.

https://www.svenbluege.de/joomla-event-gallery/eventgallery-download/event-gallery-tools/bruteforceblocker

Another handy protection is not to show the admin section at all. By using a .htaccess and a .htpassword file, you create an HTTP authentication. Before the login form appears, one needs to login with additional credentials.

http://www.htaccesstools.com/articles/password-protection/

If you're willing to add a security component, I recommend Akeeba Admin Tools. It helps you to create the necessary .htaccess file. But this is just a small part of it. It also provides an option to allow access to the backend with a unique URL only. Your regular backend URL is like /administrator. Everybody can guess this. But if you need something like /administrator?mySecret, things get a lot harder. If people don't know the right secret, they get redirected to the frontend. The Web Application Firewall of Admin Tools helps to detect request trying to hack your database or spy on your file system. Even if you have components which contain security issues, that blocking helps until the components provides an update.

https://www.akeebabackup.com/products/admin-tools.html

Speaking of updates: do it! Always! Make sure your Joomla version is the latest. Update your components if updates are available. Uninstall components which are no longer maintained, or you don't use.

If you need to provide access to your site to get support, don't hand out your regular account data! Create a new user with a good password. Delete that user once the support task is done.