If you don’t have security set up on your WordPress site, you are playing with fire – specifically, the burning of your web site.
There is too much bad behavior out there. You have to do what you can within reason.
It doesn’t take long AFTER you place security features on your site, whether they be Sucuri or WordFence or another option, for you to see what I’m talking about. So many bots out there, trying to sniff a vulnerability in your site’s setup. Bots trying to figure out your login and password. If they find a vulnerability or determine an easy login/password, they will be back, with the intent of planting infections, redirects, and other invasive code on to your WordPress site.
The fact is, every WordPress site has vulnerabilities. The question is whether those vulnerabilities in the WordPress environment have been figured out at all, and if so, if they have been figured out to be on your site. This is not singular to WordPress – this is software in general. But WordPress is now so popular that it has become a bigger target. Success breeds opportunities, including the opportunities of those who want to abuse your efforts for their own purposes.
Every day we see efforts to login to websites with such user names as Admin, Company Name and Person’s Name. This is why everyone says that your user name needs to be more complex than that, and that your password ought to be VERY complex. That is just a basic step towards security.
You also have to have security software on the site, and you need to make sure it is monitored by someone who knows what to do if there is a known vulnerability – which is to get that known vulnerability fixed.
It is likely to get worse before it gets better. So make sure you have somebody involved in monitoring your site’s security, and web security issues in general. Web developers and hosting companies offer this to their clients. Make sure you have it covered.