Here is another WordPress best practice to follow:
Hackers who broke into your WordPress account, may use the opportunity to distribute malware or perform DDOS attach on other websites.
Hence as a basic practice, restrict themes and plugin editor from Admin Panel. You certainly do not need these features all the time.
Simply edit wp-config.php file found in the root of your WordPress directory, and paste the following code just before the line that says 'That’s all, stop editing! Happy publishing’ :
define( 'DISALLOW_FILE_EDIT', true );
That's all you need to do. plugin and themes editor will disappear from Admin panel.