"Hidden" SSID's aren't truly hidden.. Your biggest two would be a strong password, very complex - and disabling WPS encryption. WPS can be cracked all day within minutes. You could very well also setup MAC filtering, only allowing devices you filter through for WiFi; that with static IP's would be lengthy to setup but, likely no one would get in.. For passwords, I suggest a phrase; long, not common.
Strong passwords and WPS disabled (very important to stress this) networks aren't easily hackable. I offer free pen-testing for my friends and family; so they can see how easy or difficult it is to 'get in', and mostly from my Pixel 3a NetHunter phone. You can try this as well with a few free tools, some time, and patience. But, likely to just be a headache.
The most usual way someone will try to get into your network will be a 'deauth' attack - where the threat actor sends a 'boot' packet to a specific station, or device - while they're capturing packet data as the device that was just booted from the network, connects back. Now they have a packet that contains the encryption to your WiFi network, or the password. From there, they run something like John The Ripper, which uses a wordlist, or very large text file with common passwords, and also runs kind of like a brute force would, trying different algorithms until it matches. Then they enter the password and boom - on your network, game on from there...
What type of router are you using?? I run a Linksys EA6350 with OpenWRT flashed - tons of additional stuff to install and use, ad blockers (WILL mess with streaming TV and commercials!), better firewall, packet flooding protection - the works.. Compared to the stock setup - and I even have VLAN configs!!
As long as you have a good, strong password, no wonky WPS stuff, firewall enabled, pretty much all the security features you could use or max out - you should be okay.. Also, checking logs and just keeping abreast of your network will help I run an rsync server on my RPi3b+ for the router; that way if anything happens to the router, I have the logs on a separate device to look through.