Best practices to avoid threats / hacking

Apologies in advance if this is a silly question, but I was curious if someone had an outline of best practices to protect your Bubble site from threats.

I know 2FA is only available at the $500/month level and I’m not there yet.

Other than password basics are there other things I should be looking into?