I run several webpages with WordPress and I use several security plugins.
I must say that from the first moments all my web sites where under different attacks.
- Most usual attacks are login attempts for users “admin”, “system” and some combinations of site’s URL – like “freeideas”, “freeideas.cz” etc. Therefore NEVER use these use names. On the other hand you need to mask real login names. And also you can (I would say MUST) block mentioned bad user names in Wordfence security plugin.
- Some attacks were more sophisticated – people try to use wordpress procedures in URL
I consulted these things with very experienced ethical hacker and he emphasized how important it is in these cases to choose good webhosting. Otherwise experienced attackers can find holes in web server. Which i something you in most cases cannot influence in your WordPress installation.