Use the Wordfence security plugin. It'll do everything you need. Go through the basic options list to have it send you email notifications and to adjust the settings to your level of tolerance. You don't want it emailing you false positives every ten minutes, but you do want to know about serious issues.
Most of all you want protection against brute force attacks.
I have had sites hacked before, and it was most frequently through a contact form plugin.
Make sure you're taking automatic backups. Backup Buddy is a good plugin for this. Your host can also reset your site using a snapshot from a few days earlier.