Upload the wordpress files and folders in directory with some other name hard to predict like cpweb or here or anything else. A trick can be done to hide this directory, to make it appear as it is installed in home directory. Go to Settings-> General and delete the sub-directory name from the field site address(URL). Site address is the perceived address and WordPress address(URL) is the physical address. Copy the .htaccess and index file on the root of the domain, edit them and change the last line showing:
Change the table prefix while creating the configuration file, as it makes tougher for hackers.
Put unique phrases in the salts of wp-config.php file. It can be generated using wordpress
Don’t use admin as user name, while setting up your site, as admin is the default user, so every hacker might like to attack this user. So choose other name apart from admin.
It is very important to secure wp-config.php file and wp-content directory, rest of the files you can delete and upload them again. All the uploaded files are stored in the wp-content folder and database connectivity is saved in wp-config.php file.