We use Wordfence on almost all of our WordPress sites

We use Wordfence on almost all of our WordPress sites, and we pretty much insist on the Premium version, rather than the free version.  The reason why is well illustrated in this post:

https://www.wordfence.com/blog/2020/02/improper-access-controls-in-gdpr-cookie-consent-plugin/

In short:

First of all, Wordfence did a review of a Plugin that had been closed temporarily to determine what the security issues were.

Next, Wordfence deployed a firewall rule to provide protection against this vulnerability to the Threat Defense Feed, for Premium buyers only.

These items happened within a few days of the plugin being closed in the WordPress plugin directory.  It did a couple of things:

It kept people from being at risk of problems relating to the flaw that had been determined in this plugin – regardless of whether the site owner had updated the plugin version when it became available or not.

It kept people from actually removing the plugin from their sites to protect from the security issue, which would have removed the plugin’s functionality.

It gave people some protection which allowed time to review the plugin update within the functionality of their website to make sure it didn’t somehow break something else.

IF you don’t have the premium version, you have to wait a month for that capability from Wordfence.

Those that are waiting are also most likely not updating their plugins often enough, and are literally adding a month of vulnerability to a publicly known security issue.

The only time we do not use WordFence premium is if there is some server-related requirement that really prevents us from doing so (there are such situations out there).  Otherwise, we are going to require it.