Any serious strategy for WordPress security should involve solutions at the server level. Still, these plugins can provide additional security benefits.
Security and Scanning Plugins
WordFence
WordFence is the industry standard in security plugins. Does regular scans for malware and blocks known evil IP addresses. Not perfect, but the scanning can be very useful when recovering from a hack.
Sucuri Security
The free version of this plugin provides scanning of your WP installs for hacks. A lighter-weight alternative to WordFence if all you need is scanning.
Plugins that Reduce Your Attack Surface
Disable REST API ★
Did you know that your WordPress site’s REST API is enabled for anyone to use? That means someone can easily download all of your posts with a simple script (I know: I wrote one). I use this on all of my blogs. Should be used on any site where you want to protect your content from scraping via the REST API.
Disable XML-RPC ★
XML-RPC is a fairly useless feature for WordPress (remote publishing anyone?)
The one thing XML-RPC is good at is attracting DDoS attacks on your site. This plugin disables xmlrpc.php by adding code to your .htaccess file. One of my clients has a high-traffic site that was attacked about once a month. This stopped it. Note that disabling this will prevent the Jetpack Publicize module and potentially other modules from working.
WordFence now has this functionality built-in (but it must be turned on).
Login Security Plugins
Hiding your login is not considered a great means of security but can be helpful to bypass brute-force login attacks.
Rename wp-login.php
Doesn’t literally rename the file, but does some tricks to redirect. Great for preventing brute-force attacks trying to log into your site. Also lets you rename /wp-admin.
WordFence Login Security
This is a lighter-weight security plugin with a subset of features of WordFence: two-factor authentication (for admins only), XML-RPC protection, and login page CAPTCHA. Great if you don’t want or need all of the features of regular WordFence.
WP 2FA
If you just want two-factor and no other security features in a plugin, check out WP 2FA.
WPS Hide Login
I haven’t tested this plugin yet, but could be useful for a client who wants to hide their wp-admin URL. Excellent reviews!
Please leave your comments and questions below! – Brian

I am a freelance web developer and consultant based in Santa Monica, CA who uses WordPress, PHP, and JavaScript to create websites and web applications for businesses, nonprofits, and organizations.
Please Leave a Question or Comment