By default, the newest version of WordPress is pretty secure. The development team of WordPress has considered anything which may have been added to some fix malware problems free plugins. Before, WordPress did have holes but now most of them are stuffed up.
I protect an access to important files on the site's server by putting an index.html file in the particular directory, that hides the files from public view.
This is very handy plugin, protecting you against brute-force attacks that are password-crack. It keeps track of the IP address of every login attempt. You can configure the plugin to disable login attempts for a selection of IP addresses when a certain number of attempts is reached.
Along with adding a secret key to your wp-config.php file, also think about altering your user password into something that is strong and unique. A good idea is to avoid common phrases, use upper and lowercase letters, and include numbers, although you will be told the strength of your password by wordPress. It's also visit here a good idea to change your password regularly - say once every six months.
Those are three things you can do to keep WordPress safe without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your whole account.