I'm working on a wordpress site which is still not on production but is still available if you know the url.
Lately the site was somehow hacked and some malicious scripts were added to the loading of the page.
I'm not sure how they hacked in but I doubt that it was to the server since there's no ftp access and only one user with ssh access, since it's a meaningless site that is not even used by users I doubt that someone would go to all that trouble.
I also understand that wordpress itself is pretty secured and that the weak parts are the plugins and themes.
I'm not that worried about the theme part since I'm using one I created based on the default theme, but I'm worried about the plugins part since I need to use not so few.
How can I know if a plugin is secured enough?
I searched and found that there are plugins that help with the security aspect, but there are so many of them.
What's the best approach to protect the wordpress installation including plugins?