As I said in another post, I believe the very popular Wordfence Security plugin to be an excellent security solution for most WP users. Even if Wordfence isn’t the right solution for you, I recommend subscribing to their excellent email list, for timely and informative updates on WP security issues.
My Wordfence quibble: I installed and it and tried it out for awhile, decided in spite of its ample merits it is not for me, deactivated it. I promptly received an email from the Wordfence mother ship, alerting me in somewhat inflammatory language that Wordfence had been deactivated from my site by – my secret admin user name! I keep my admin user name private, and use a public nickname – a minor but sensible security precaution, I think. Wordfence not only harvested my secret admin user name, it reported my admin name to the mother ship, presumably stored it, shared it with – who knows? – and sent it to me in a plain text email. I have no way to know what other private information, if any, Wordfence stole.
And yes, I realize there is a lively debate on whether or not to keep the admin user name private. And I realize that a determined hacker would uncover my user name without too much challenge. But whether to keep my admin user name private is my decision to make. Wordfence deliberately trampled my rights and compromised my security, all because I dared to deactivate their free plugin.
By comparison if I deactivate the security plugin WP Cerber, I get an email alerting me that the plugin was disabled by – my public nickname.
I am still convinced Wordfence is an excellent security solution for most WP users, and equally convinced that I will remain pissed off about the hypocritical theft of my private admin user name for a very long time.
Another Quibble (2018-07-18): It turns out when I deleted WF, it did not clean up after itself like a well-behaved plugin should. It left a bunch of tables cluttering up my database. WF is by no means the only plugin that leaves garbage in the DB when deleted, but the volume WF leaves behind is staggering – no fewer than 22 tables! I discovered this using a tool called Plugins Garbage Collector, which did a great job removing all the orphaned plugin tables – except for those left by WF. This could be a bug in Plugins Garbage Collector, but since it otherwise worked perfectly for me I suspect WF did something nefarious attempting to lock in its garbage. I had to manually delete the WF tables using PHPmyAdmin in cPanel.