What's the minimal WordPress security hardening you'd trust?

I’m trying to understand what actually matters in WordPress security beyond checkbox features.

Constraints: shared hosting, non-technical site owners, must not break plugins/themes, low overhead.

If you had to pick the top 5 controls in a WP security plugin (or server-side), what would you choose and why?

Bonus: what features are mostly noise (false positives, bloat, fear-UX), and what’s surprisingly effective?