WordPress is a CMS that has been around for a very long time, for that reason there is also a lot of people that want to do harm and infect your WordPress site. This guide will walk you through some basic steps to protect your WordPress from being infected.
The start is a good protected server, preferably with a firewall & fail2ban setup. Make sure no one has access to your passwords or SSH keys which would be able to get into your installation.
To protect WordPress itself as installation, we recommend the following plugins:
1. Anti-Malware Security and Brute-Force Firewall - Link
This plugin will scan your WordPress installation for any malware, or suspicious scripts. It will make calls to the core server of the plugin where they store the known backdoors to keep you informed.
2. WP Limit Login Attempts - Link
This is basically a plugin to prevent brute forcing to your WordPress installation. It will verify each login with a captcha code and an inbuilt mechanism to slow down brute forces.
These plugins are no guarantee that your installation will be safe and sound. There are still possibilities new backdoors are created which will not be patched fast enough. Be sure to check your WordPress weekly so you are sure its still good.