I am using Wordfence on wordpress websits. I also at least initially used WSD Security plugin which does a scan of the website and let you know if everything is all good with chmod and permissions.
Wordfence seems very good, but to really get all of the features you need to pay for it. Out of the box it will scan your website and alert you if any files change, if anyone logs in, and you can block 'admin' attempts. Keep an eye on your Wordfence tables too because they can get rather large overtime.
If there are excessive amounts of 404 errors showing up, do those pages actually exist on the website?