By default, the newest version of WordPress is pretty darn secure. The development team of WordPress has considered anything that might have been added to any fix wordpress malware plugin plugins. Before, WordPress did have holes but most of them are filled up.
I might find it a little harder to crack your password if you're among the ones. But if you're among the responsive ones, I might get you.
You also need to set the"Anyone Can Register" in Settings/General to off, and you should have some type of spam plugin. Akismet is the old standby, the one I use, but there are many of them these days.
In addition more info here to adding a secret key to your wp-config.php file, also consider altering your user password into something that is strong and unique. WordPress will tell you the strength of your password, but include numbers, use letters, and a good tip is to avoid common phrases. It's also a good idea to change your password regularly - say once.
Those are three things you can do to keep WordPress safe without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup great post to read your whole account.