I've been using WordPress since about 2002-ish timeframe. And I've been hacked once early on because I was a WordPress neophyte. After doing some research on security, I decided on iTheme's Security. In fact, it has worked so well for me that it is what I use on all my WordPress that I either create or manage. I bought the Lifetime Unlimited Sites license so I didn't have to worry about it when I was securing sites. The folks there have done and continue to do an awesome job in helping to keep WordPress sites secure. My bottom-line to this is that if you have a WordPress site, get any one of the security plugins and then start using it. You'll be glad you did. Then, go check the security logs to see what they are catching. It can get depressing that there is that much garbage going on behind the scenes. Oh yeah, my only other suggestion would be to hide the backend login by changing it to something less obvious (an option that should be available in all of the security plugins) because it will significantly cut down on all the attempts to login to the admin section of the site.