I'm a new WordPress user. Are there any guides online with best practices that I can follow? (Some suggestions I see in this thread: rate-limiting plugin, don't have user id #1, don't have user "admin".)
You can add HTTP basic auth to your wp-login.php and wp-admin/ paths, which will require that the user provide authentication before ever getting to pass data to those scripts. That can protect you against vulnerabilities in the software, but it won't protect you from bad passwords.
Find a good host, use a secure password password, pay attention to the 3rd party plugins you're installing, and keep your install updated.