By default, the latest version of WordPress is pretty darn secure. Anything that might have been added to any fix wordpress malware plugin plugins has been considered by the development team of WordPress . In the past , WordPress did have holes but now most of them are click to investigate stuffed up.
Don't depend on your Web host - Many people rely on their web host to"do all that technical stuff for me", not realizing that sometimesthey don't! Far better to have the responsibility lie with you, instead of out.
Keep control of your online assets - Nothing is worse than having your livelihood in somebody else's hands. Why take chances with something as important as your site?
Now we're getting into things. Whenever you install WordPress, you have to edit the document config-sample.php and rename it to config.php. You need to install the database information there.
These are three things you can do to maintain WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your entire account.