On an application level we adhere to all the security best practices for the code that we write and we require any new third party plugin or code to pass a visual inspection and security scan (if applicable).
We provide solid security features on a server level thanks to our in-house hosting company. When running on Synotio, you also get bruteforce protection built in using the wp-fail2ban plugin. All login attempts are reported to a central server which makes us able to use the intelligence gathered from all sites to block bruteforce or dictionary attacks – sometimes even before they happen. We insist on using CloudFlare Pro (20 EUR/mo), and use their WAF functionality which is a more active form of protection against DDoS and plugin-specific attacks.