As already said before, secure a WordPress Website with Plugins like Wordfence, Limit Login Attempts,
Hide WP-Login et.al. and configure your HTTP-Headers in /etc/apache2/sites-enabled or your .htaccess files.
Disable phpmyadmin and vsftpd, if you dont need them, and enable them temporarily after a login to your server when needed.
Install only software, which you really need, and only from trusted repositories. Configure Unattended Upgrades as described before.
A good starting point of additional security tools for your VPS could then be apt install fail2ban.
For example follow the instructions on Use-fail2ban-to-secure-linux-server. Insert your used ssh port number in the filter [SSHD] in /etc/fail2ban/jail.local.
Install rkhunter and lynis by apt install rkhunter lynis and run them. Harden your system with the suggested improvements.
Make use of AppArmor configurations (installed as default with Debian Linux, Ubuntu, openSuse). Alternatively learn on SELinux and its installation in a Debian server as here (default in Fedora, Redhat distributions). Backup your VPS periodically.
There are many more tools, whose use depends on your purposes with your VPS.
You can find a collection and reviews with this Link to Security Tools and a Link to Best Practises and related content.
Find out and test what is appropriate for your server.
Of course, when you need to configure a non-private server, for example at an organisation or company, you have to learn and realize a lot more configuration details, especially for security issues. You can find recommendations in Debian references and also from colleagues and admin people in the internet.
My notes are simply a very first glance on VPS for mainly private purposes.