Personally I just fence off my wp-admin directory with a password and keep up with the security updates and backups. I don't want to slow down my sites with useless plugins, as it's easier just to drop the backup back should something happen.
I've been using WP for the pas six or so years, and only once did I get hacked, and honestly I think that was because something got in to the shared server.