You could 'hide' your SSID but, that's not truly hiding it. Any frequency you transmit, can be received
To most end-users, it will be 'hidden' though..
I would suggest strong passwords - that's really about the only way to secure your router. Change the admin password on the router itself too; you'd be surprised how many default passwords have been used to gain access! And having said that, a phrase or catch-phrase would be long and not so hard to crack. DO NOT use WPS, use WPA2 or WPA3 if your devices and router support it. WPS is very easily crackable with some free tools, and it's not very secure.
MAC randomization: you can use this, it will prevent someone from successfully carrying-out a deauth style attack. But, caveat: if you use devices for hosting shared folders / content, you're likely to have issues - as the MAC address will change when a connection is established, thus registering a new IP in DHCP to that new MAC address. I know, clear as mud lol.. But, say I got a device to host a NAS - if it registers again under a new IP, hostname might stay the same, but IP changed; likely to have some connection issues back to those devices holding content.
MAC filtering: good, definitely won't be able to access - but a PITA to setup.. Gotta take note and enter all device MAC addresses to be allowed onto the network / router. As this is such a pain to do, and if MAC randomization is enabled on your devices won't connect - very long to setup..
Static IP's: another long PITA to setup, have to know how many devices and set an IP to each device manually. Also change your router IP to use a non-default IP, like 10.x.x.x - still private IP, and not the usual 192.168.x.x, so anyone expecting the default - won't be the same. Not impenetrable though.
As long as you have a good, long password with complexity - capitols, numbers, special characters - you should be okay. If you wanna 'hide' your SSID - that's up to you, but you'll have to manually enter the SSID when you want to connect on every device that's wireless; on top of WPA2 or WPA3 encryption. And subnet - you can use a different subnet to also confuse. I use a /27 subnet, 32 addressable IP's - plenty for my network. That's a little more advanced so, wouldn't try anything with that unless you know about subnetting.. Any device you have close that can use Ethernet - definitely suggest it
Roku TV's are limited to 80-90Mbps on Ethernet btw, just found that out recently lol.. Also make sure to use a non-overlapping channel for 2.4Ghz WiFi, ch1, 6, and 11 if you have others in close proximity; helps reduce interference from others..
Speedtest - I'd suggest using the CLI version, install with terminal sudo apt install speedtest-cli
then run with speedtest
. Doesn't use a GUI to get your speeds, much better 
RiseUp - nice! I'm also a RiseUp user - good one for sure! That's just for your device though - be aware that with running VPN you'll likely have issues talking to devices via hostname, maybe IP as well. When I'm using VPN, can't reach my RPi NAS with hostname - as expected though.