Which security/firewall plugin do you recommend?
There’s a great combination you can do of Cloudflare with the Sunny Plugin, Zero Spam Plugin and Cloudflare Guard plugin to automatically ban spammers through your firewall so their traffic no longer reaches your site. This simulates fail2ban, but does so with a WordPress admin interface.
Install the following plugins:
Configure them to talk to your Cloudflare account and each other in their settings pages and now you will have a far more secure and faster site – Zero Spam reports on the spam bots, Sunny handles the Cloudflare Cache clearing, Cloudflare Guard adds the unique IP addresses to ban from your site.
Note: This is FAR faster than any security plugin, because the traffic gets banned at the Cloudflare level. With the likes of WordFence, traffic still hits your site, uses Nginx resource, CPU, Disk, RAM and PHP cycles whilst all of WordPress is loaded so that WordFence can look up in it’s database and ban the IP address.
I don’t recommend WordFence – it’s incredibly heavy on your server and I’ve found it fails to spot infections – if you must use an actual security plugin, Sucuri is better.