Year and a half educated us that WordPress security shouldn't be dismissed by any means. Between 15% and 20% of the world's high traffic websites are powered by WordPress. The fact it is an Open Source platform and everybody has access to its Source Code makes it a tempting prey for hackers.
Since scare tactics appear to be at the very least start considering the issue, or what drives some people to take rename your login url to secure your wordpress website a little more seriously, let me shoot a couple of scare tactics your way.
A simple way is to use a few tools that are built-in. To begin with, do not allow people run a web host security scan to list the documents in your folders and automatically backup your entire web hosting account.
There's a section of config-sample.php that is headed"Authentication Unique Keys." There are four definitions which appear within the block. There is a hyperlink inside that part of code. You want to enter that link in your browser, copy the contents that you get back, and replace the keys you have with the unique, pseudo-random keys provided by the site. This makes it harder for attackers to automatically create a"logged-in" cookie for your website.
You can also make a firewall that blocks hackers. The hacker is prevented by the firewall over here from coming into your own files. You also have to have updated version of Apache. Upgrade your PHP. It's important that your system is full of upgrades.
Just ensure you choose a plugin that's current with release and the current version of WordPress, and which you can schedule, restore and replicate.