prevent execution of scripts and defacing a vulnerable website

If using just Fortigate IPS, look at the list of vulnerabilities it can protect from - https://fortiguard.com/search?q=wordpress&engine=1 to see if it is enough for your case .  

Anti-Defacement is a feature of Fortiweb only - when enabled it watches for the website unauthorized changes, and if found any - re-uploads the saved copy of the website to the server. 

Update the WordPress site.

Start with the underlying host architecture. Ensure that the host updates their platform. Then change your PHP version to latest. If you don't see PHP 7.4+ you will need to open a support ticket with the host and tell them you need the latest version of PHP because you got hacked due to their insecure platform. Completely wipe the site. Install the latest version of WordPress fresh. Update WordPress and all plugins. Only after everything is at the latest version then you can restore from a backup taken before the system was hacked. Only restore the DB and Content, do not restore the insecure version of WordPress itself. Ensure to update everything again after the restore. Install a WordPress security plugin.

If you actually did prevent the execution of scripts it would make the site inoperable. If you want a site that doesn't run any scripting then stop using WordPress. Make a pure HTML5 based site. That is the only way.

If you don't understand any of these steps then it's time to hire a professional.