By default, the latest version of WordPress is pretty secure. Anything that might have been added to some how to fix hacked wordpress site plugins has been considered by the development team of WordPress . In the past , WordPress did have holes but most of them are filled up.
Everything you've worked for will go with this should your site's server return. You'll make no sales, get no traffic or signups to your site, until you have the website back up 32, and in short, you're out of business.
One thing you can dig this take is to delete the default administrator account. This is important because if you don't do it, a user name that they could try to crack is known by malicious user.
You can extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think this plugin is a good choice and you can use it at no cost.
Oh . And incidentally, I was talking about plugins. Make sure it's a safe one when you get a plugin. Don't install any plugin because the owner is saying on his website that plugin can help you do this or that. Maybe use get a software engineer to examine it, or maybe a test site to check the plugin. This way isn't a threat for you or your organization.