There are millions of blogs all around the world wide web. Some people are making money through it and some do not. Many of the bloggers use WordPress at the moment. You will need to be certain that your blog is secure.
The secure your wordpress site Codex has an outline of what permissions are acceptable. File and directory permissions can be changed through an FTP client or within the administrative page from the hosting company.
Protect your login credentials - Don't keep your login credentials where they might be found by a hacker. Store them off, as well as offline. Roboform is good for protecting them, too. Food for thought!
You should also place the"Anyone Can our website Register" in Settings/General to off, and you ought to have some sort of spam plugin. Akismet is the one I use, the old standby, but there are many of them nowadays.
You may extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. I think you can use it and this plugin is a good choice.
These are three things you can do to maintain WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your whole account.