During my experience like web developer i cleaned up a lot of infected WordPress websites, Here are the reason mostly allow bad guy to enter into websites.
First of all before you go further check the hosting provider, search on google for top 10 hosted, do not point on something cheap, cheaper web hosting not all the time have support, updates, backup etc in the expectation you require, Try to find something between cheap and expensive. Check the cpanel, php, mysql version if are up to date.
A common mistake the clients mostly do is the WordPress login from different pc, tablet or mobile. What if the device you are using to connect to your WordPress website is infected? All your security will be lost. So try to minimise the device you log into your WordPress, personally i use only to machines used only from my, neither mobile or tablet.
Try to avoid unnecessary plugins or themes, delete all of stuff you do not need, the rest keep it up to date, including WordPress also. Check the Stars on the plugins you want to install and the last updates. To decrease the hacking risk install a security plugin for brute force attack and other security tools. Personally i recommend Itheme plugin. This plugin will change the admin user and the id of admin user, also will ban the public ip that try to login into your WordPress website.