Why are the BWPS features not default in WordPress?
Better WP Security has many known issues. In some worst cases, it may break your website. Some frequent discussed problems:
- Change wp-content folder cause problems with other plugins
- Fail to work on low memory environments
- High CPU load
- Being blocked on login page (usually because improper configuration)
- Unreasonable amount of 404 errors
- Hide backend not able to 100% hide login page
How hacker drop a file on a website?
Protection is only prevention for them to do it, there is no 100% secure thing. They could gain access by using the vulnerability that may already exist in the plugin/theme you're using, for example the Timthumb problem which happened recently. I have bad experience using free hosting, they (the webhost) injected some bad codes into my database.
Hackers are smart, we won't know what new trick they may have to break your website.