I know how to use one of the following to access the websites I build: FTP, SFTP, Shell Access.

Adding ReCaptcha to a login form is 100% guaranteed to stop bogus login attempts by hackers.

Six websites have been implemented by creating subdirectories beneath public_html (the default website directory on most web hosts). The implementation does not use WordPress MultiSite and no special actions have been taken to secure them. If one subdirectory (website) becomes infected, it is impossible for that infection to traverse the directory structure and attack the other websites in the other subdirectories.

As long as I do my best to secure my website, including hiring a security expert to do it, there is nothing my web host could do that would make my website less secure.

I use formal contracts for building websites and those contracts contain a legally vetted indemnification clause that shields my company from liability should the website get hacked.

There is no action a client can take which decreases the security of the website. Security is entirely a technical matter beyond their ability to influence.

What is the most common default login page for a self-hosted WordPress website?

A web form plugin is used to create a web form that captures Driver’s License, Social Security Number, and Mother’s Maiden Name. This information is then stored in the WordPress database. This is a perfectly safe way to collect and store such information as long as the website is using SSL. No other considerations are required.

The default installation of WordPress on some web hosts allows people to view the contents of any directory WordPress creates, including the directories containing the contents of the Media Library.

The default WordPress installation on some web hosts allows the public to see all components used to build a website.

My web host maintains backups of the website and allows me to access such backups myself, without the need for technical support.

I know that my web host does or does not maintain backups of my website. I know what to expect from my web host as it pertains to backups.

I have practiced recovering a website from a backup, either doing it all myself or testing my web host’s ability to do this for me.

I maintain a staging website for testing and user training.

I keep a secure clone of my most complex websites on a staging site. I always perform updates to the clone first to spot problems and remediate them, before applying updates to the live website.

Keeping themes and plugins (components) updated improves security.

Component updates can be automated, so it is not required that I review the website after an automated update to make sure nothing went wrong.

It is not necessary to re-test workflows after components are updated. As long as the home page loads, it’s all good. (Just to be clear, in this question “Workflows” are things like membership sign-ups, filling out a form to reveal hidden content, posting a job, etc…)

All WordPress components are compatible with each other, otherwise their sale would be prohibited, or they would not appear in the WordPress plugin repository.

Destabilizing a system is one way to determine how best to hack it further.

Staging websites can be updated anytime, and don’t need to be component-identical or version-identical to the live website since they are largely just for clients to practice on.

I know for a fact that my web host scans my website for malware and will proactively notify me if any malware is discovered, or I know for a fact that they do not do this.

It is not necessary to include the WordPress database in a full backup of a website.

Is an admin account with a user ID of 1 a liability?

As long as nobody else has the Admin account credentials to my WordPress website, it cannot be hacked.