does not hurt - hiding the wordpress version, protection against brute force of the admin panel (ban by ip, secret key, number of attempts), hiding the admin panel, tracking changes in files, checking all files (including the theme) for hidden php code. and this is the minimum that is not in the base wp.

These plugins are useless in my opinion.
Most of them simply change the login path to the admin panel to a custom one, protecting against brute force.
And most WP sites are hacked according to the scheme:
1) getting data from the database;
2) search for phpMyAdmin / connect to the database through any mysql manager;
3) adding a new admin with a sql query;
4) attempt to log in via /wp-login.php;
5) if 404 or 403, then disable all security plugins in the active_plugins field in the wp_options table;
6) successful authorization attempt via /wp-login.php;
It will be more effective than these plugins to prohibit all ips (exact or ranges) in htaccess to all unnecessary ordinary users (/wp-admin, /wp-login.php, etc.).

Look aside: https://wordpress.org/plugins/all-in-one-wp-securi... - can lock important files (.htaccess, wp-config, etc.) Plus all sorts of "firewall" things like protection from brute force and bots. At the same time, according to personal observations, it is much less voracious, unlike any Wordfence, etc.
Set is a must. For the internal protection of WordPress is one thing. But you can't count on the consciousness of the client's server admins for 10)%. Here in 50% of cases I had to reconfigure chmod on directories, because everything was free everywhere. Yes, and the software is very often leaky and old in people. And then someone will be blamed for hacking the site? Of course you!
And of course, you need a regular automatic backup. I am currently setting up a regular backup of files on the hosting (if there is such a function) using the hosting itself, plus I install the UpdraftPlus plugin - it can backup the database and files to Dropbox or Google Drive every few hours.