Every WordPress website in the world can be accessed via the wp-login admin page. If you want to add an extra layer of security you can rename that page. How do you do that? Using a plugin!
All websites can be hacked. Simple as that. Get used to it. Although WordPress is pretty secure by default it makes sense to add a few extra layers of security if possible. Wordfence is probably the most popular security plugin available.
Modern websites need to be SSL-enabled. In other words the URL of your website needs to start with https:// instead of http://. The Really Simple SSL plugin makes this whole process easier.