WordPress is a system but software has their flaws and security holes are located on WP. This is why WP often releases updates. As soon as any vulnerability was discovered by them, they immediately make some changes and supply a new update . You need to understand the different regions where these plug-ins work to help you protect your investment, if you want to know more about the best fix wordpress malware scanner plugin.
No software system is resistant to bugs and vulnerabilities. Security holes will be discovered and bad guys will do their best to exploit them. Keeping your software up-to-date is a good way to stave off attacks, because reliable software useful link vendors will mend their products once security holes are found.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. Definitely more, if you make changes and additions to your site. If you make changes multiple times every day, or have a community of people which are in there all the time, a backup should be a minimum.
You can extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. I think you can use it and this plugin is a good choice.
These are three things you can do to keep WordPress secure without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your entire account.