The #1 thing you need to do to keep a WordPress site secure is KEEP IT UPDATED! That includes all plugins and themes.
Something that might fail a PCI scan is "WordPress User Enumeration." Put this in the .htaccess file:
# Block User ID Phishing Requests <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ^author=([0-9]*) RewriteRule .* https://example.com/? [L,R=302] </IfModule>
Of course, replace example.com with the actual domain.
I think some security plugins automatically protect against that, you might look into something like WordFence.
Please do not use "admin" as the username for any WordPress accounts. That's a frequent target of brute force attacks since it's so obvious.
It's a *really really* good idea to keep each WordPress site in its own cPanel account. That's because if one site in an account is compromised, then other sites in the account likely will be as well. cPanel has a great Addon Domain Conversion tool that's very helpful to split existing sites out into their own account.
If you're not sure if you can put a WordPress site on a subdomain in its own account, of course you can! You can use blog.mydomain.tld or whatever as long as that subdomain isn't already set up elsewhere. Just create a cPanel account with the subdomain as the primary domain and then go on your merry way with installing WP.
And *NEVER* chmod anything to 777. That's global read/write permissions and is highly insecure. If you're having a problem with uploading stuff or something like that, then find what's causing that problem before hauling off and changing anything to 777. Yes, even the uploads directory. In most cases, files should be 644 and folders should be 755.
Forcing SSL for a WP site is pretty easy, try this in the .htaccess (put it at the top).
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule>
Make sure to update the URLs to https, too. That's in Settings -> General and the fields are WordPress Address (URL) and Site Address (URL).
If you get a warning about mixed content, there are probably some http URLs that need to be updated to https. Here's a handy tool to track those down.