I use Acunetix as a starting point for a lot of security suggestions for WordPress. It comes with dashboard that lists a lot of items the plugin suggests action to be taken on. I generally take these steps in advance of running the program, but it’s nice to be able to check their list and make sure I’ve done all the suggested items.
I’ve used this plugin for some time for various items it takes care of such as removing version information from various links used by WordPress internally. Leaving this alone more or less broadcasts what version WordPress is being used to those who know where to look. I’ve seen at least one other plugin (Sucuri) note that removing this version information was a security risk, but since any WordPress exploit would also be version specific, I use this plugin’s setting to remove that information wherever possible.
I don’t get a lot of use out of it, but this plugin also comes with a “live traffic” tool which gives a list of all IP addresses and where they are within the website. It’s said to be “live”… I believe it’s displaying about a five minute chunk of time, so one IP may appear on the list multiple times. It’s interesting during low traffic times, and can help pinpoint problematic IP blocks if some sort of attack is underway.
This plugin also makes some very specific suggestions for the database/user permissions for WordPress. I generally apply these suggestions to every site I host. If there are any conditions where more permissions are required, I have yet to encounter them.