Let this be a point-to-point topic. WordPress Security is a combination of multiple security steps that need to be followed. Having a Security Plugin ≠ Safe WordPress. There are ‘n’ number of WordPress Websites on the planet that have been breached in recent years even though they were heavily protected.

The short answer to the question, NO, you don’t need any WordPress Security plugins to keep your site secure. WordPress in itself is already secure. We recommend installing Firewall on your site. Either through server end or through WordPress plugins.
Now don’t go and delete the security plugins on your site. Learn how WordPress security Works and then later you can have a decision.
Before you decide on Plugins, let us understand, how a WordPress site is hacked or breached. Below are all the ways an Intruder will be able to get access to your WordPress site.
Hosting
You may keep your Hosting Panel, ID, and Password super secure away from everyone else, but what about your hosting server itself getting breached? There is nothing you can do. So, purchase secure hosting instead of going for cheap and unreliable hostings. We recommend Bluehost, Siteground, and Hostinger for security.
All hosting companies* have complete access to all your hosting files and databases.
Tomorrow in exchange for money there can be a possibility hosting companies may quietly share your data with a third party without your consent. The point is, you know, to purchase trustworthy hosting.
Super secure websites which are run by governments or security agencies always use custom servers to host their files. Also known as VPS. Here the only person responsible is the owner itself. You buy a space, install an operating system and control panels that you like. You are Free to use your allocated resources to the fullest.
Security Plugins are completely helpless if your Hosting account is compromised.
Vulnerability
Vulnerability in simple terms is ‘poorly coded PHP’ which when executed on any live website will be able to create admin account/ access or if any WordPress deprecated functions are used which can be a cause of weakness for wordpress.
Malicious code is directly related to creating an admin account when some particular autorun PHP is executed when some particular URL is accessed, which is all predetermined.
Also known as ‘backdoors’. If you have installed Nulled Plugins and Themes assuming that you get premium features for free, may include ‘backdoor’ within them. Not all externally downloaded plugins have backdoors. Some are exact copies of the Original File without any modification, bought legally under GPL for testing purposes and not for making profits.
Always purchase/ install Themes and Plugins from WordPress Repository, Themeforest, or from developer-owned websites.
Security Plugins can’t scan Plugin and Theme files that are externally downloaded.
Brute-Force
Brute-Force is a program that can be run by humans and bots when they get access to the WordPress login page by accessing your domain with these URL extensions. i.e. ‘/wp-login.php’ which is the same as ‘/admin’ or ‘/wp-admin’ extensions ( which are always redirected to wp-login.php)
On a default WordPress Installation, if anyone tries to login to your site, they need two things. Your Email/ Username and Password. For the first time when they enter the wrong credentials, WordPress will display an error message exposing whether the ‘username’ entered is right or wrong.
Finally, after some attempts, the intruder will know your ‘username’ which later they can run brute-force bot scripts which will enter common passwords related to the username and website, if they guess right, they get access. The problem here is not of security. It also consumes CPU power which should be avoided.
Hence it is recommended not to use ‘admin’ as username and the password should be kept strong. Just remember, Brute-Force attempts can be executed only if wp-login.php is accessible. What if you don’t allow your WordPress Login page to the public? Simple. There are NO Brute-Force attempts at all.
I have shown you some very unique ways to keep your wp-login.php away from public access. If you want to keep your Login Page secure, have a look at this article on Protecting the wp-login.php against Brute Force.
To know if there is any Brute-Force attempt happening, install Activity Log Plugin and search for ‘Failed Logins’ log entry.
Security Plugins can avoid Brute-Force attempts. But what if the Login Page itself is not available?
Offline Hack
Offline Hack has nothing to do with WordPress or Hosting. It’s all about keeping your Google Account, Computer, and Mobile Phone Secure. This is all very important and most people ignore the core basics of security.
A must-read short explanation of why this is so important, please visit this article WordPress Security Basics.
Security Plugins? Website Credentials are Leaked.?
In a Nutshell, Security Plugins can only protect you inside of WordPress Directory. Usage of security plugins is completely let to the user’s interest as some WordPress users may not have the time/ skill to secure a website through other means. We always recommend installing a Firewall for your site either through a Plugin or through the server.
Whether you use any Security Plugin or Firewall Plugin, it will consume some amount of CPU since it will be constantly guarding your website. We have used most of the security plugins in the past and we still use them for some of the client sites we design. This whole article was just to give you an overall idea of how WordPress security works.