❗ Important.
Configure password strength parameters (at Administration > Authentication). The minimum recommended password length is at least 10 characters (or 8 if 2FA is mandatory). Require digits, and both upper case and lower case letters.
❗ Important.
Enable 2FA for users. Require regular users to set up 2FA with the corresponding parameter. Can be enabled at Administration > Authentication.
Don't use an admin user for everyday work. Use a regular user instead.
Can be done at Administration > Authentication. If you lost admin access and want to recover your password, set 'passwordRecoveryForAdminDisabled' to false in data/config.php.
Consider decreasing Auth Token Max Idle Time. Additionally, you can also specify Auth Token Lifetime.
Restrict the ability to upgrade and upload extensions via the UI. Set 'adminUpgradeDisabled' => true in data/config-internal.php.
Consider specifying an IP address whitelist. Parameters are available at: Administration > Authentication > Access.