I prefer security done at the server level. Then on the website level just maintain clean code ,plugins etc.. allow what is needed and general security practices and you will be good.
Security plugins look nice but they can be easily bypassed.
Most people have the free version which has a 30 day delay and is a complete garbage ๐
Patchstack with virtual patching is great for wordpress ๐
