Ben 
I have always found it useful to install a security plugin to every WordPress website I work on so that security concerns are not always looming, they are dealt with right off the bat.
I am aware that people always say that WordPress is insecure, but that is only true if the creator of the WordPress website in question is not concerned about security because there is nothing inherently different about the security of a WordPress site that cannot be configured for more security just like a site built on any other technology.
The big three for security plugins that I like to use:
- Securi
- Wordfence
- iThemes Security
If you have one of these three on your WordPress website with the correct configuration your site is more secure than many sites out there. The different plugins protect against slightly different things, and some of the security has to come from the webhost but having one of these installed on your site is a huge step in the right, secure direction. You are of course welcome to provide your own security and configure things about your website and server on your own but these plugins are all great and will provide protection against most threats.
Only configure your own security if you feel like you are more equipped to handle it than the countless developers many of whom are security experts, who contributed too and created these plugins.