https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
This 5-star rated security plug-in was designed especially for WordPress. It has both a free and premium version, with the free version offering many features compared to other plug-in’s free versions I had looked at.
This plug-in provides a protective firewall, login security tools and content protection.
Firewall
- Implements all new firewall rules
- Blacklisting (firewall blocks known malicious URLs and ability to ban users by IP addresses)
- Protects against fake Google bots
- Prevents DDOS attacks
- XSS protection
- Ability to disable PHP file editing
Login Security
- Detects the default ‘admin’ user name and identical login and names so they can be changed
- Hides login page from bots with a custom URL for the WP admin login page
- Ability to change the default wp_prefix values
- Lockout after multiple unsuccessful login attempts
- Ability to force logouts after a specified time of inactivity
- Ability to implement CAPTCHA tools to prevent spam registrations
- 2FA
- A password strength tool
Content Protection
- Automatically blocks known spammers’ IP addresses
- Tools to block spam and malicious users
- Copywriting protection
Bonus!
- Automatic, scheduled back-up of database and files
In my opinion, I feel this is a good all around tool as it addresses many of the common ways a website can be hacked, even with the free version.