to offer a counter opinion I found wordfence highly obtrusive, annoying and full of dark patterns in an attempt to upsell you to premium. They present in their dashboard ALL attacks within their entire network as if those were attacks on your site in particular which is misleading. If the project permits the best practice is to convert the site into fully static HTML (WP2Static, SimplyStatic) and keep the backend site/database separate and local only.
It's fairly resource-intensive, though. I've seen whole servers brought to their knees because of plugins like WordFence -- an unintentional DoS, so to speak. Many of the defenses employed by WordFence would be orders of magnitude more efficient if implemented at the level of the http daemon or firewall. Unfortunately, WordPress plugins must cater to the lowest common denominator, shared hosting.
Sure, but you don't know that until the attacks actually begin, and anyone can attack any site for any reason these days. Meanwhile, most people who run WordPress sites don't know how to do anything more complicated than installing a plugin. Being a developer who caters to that market has its own charms and challenges.