We work on a lot of websites built on WordPress at Harrelson Agency.
Some of those are complicated builds that cost tens of thousands of dollars and require constant maintenance. Some of those are relatively static sites for a non-profit or small business built on a shoestring budget of just a few hundred dollars. What all of the sites we build have in common is a firewall (we use Wordfence a great deal but also have other means and normally work at the endpoint).
What I’ve found in all my years of marketing and business consulting is that web security is so overlooked by companies, churches, and non-profits large and small. WordPress powers a ton of websites out there, and as a result is frequently a vector of attack and hacking attempts. Make sure your web devs / “tech people” or neighborhood kid that you hire to build or work on your site knows at least a little about infosec and opsec or you’ll be paying for your budget-built website eventually.
Here’s a nerdy, but interesting, post from Wordfence on what makes them different from cloud-based firewalls…
When choosing a firewall for your WordPress website to protect it against attacks, you have a handful of choices. Wordfence is one of the only effective “endpoint” firewalls available. The alternative is a “cloud” firewall from vendors like Sucuri (now owned by GoDaddy) and Cloudflare.