It has long been my policy to offer a design AND maintenance package when creating a WordPress site. Customers generally sign up to the latter for the peace of mind it brings, the only exception being a customer who was subsequently hacked by a Moroccan who posted ISIS promotional material on his site.
More recently businesses with an existing WordPress site have signed up solely for the maintenance package, sometimes as a result of needing a hacked site to be recovered.
However if you are interested in prevention rather than cure, then here is what my maintenance package offers:-
Daily backup stored offsite
These can be used to recover a site, clone it and transfer it to another server location.
The core files, plugins and themes are updated within 24 hours of being released by their authors.
Brute-force login attempts are blocked using various techniques including hiding the login pages.
Individual usernames, IP addresses, networks or countries can be blocked from accessing your website.
Known exploits such as SQL injections are blocked by a website application firewall.
All for less than 1.70 per day.