Security
I install this plugin on every client’s wordpress site. It’s amazing what the free version itself is capable of.
Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.
Performance
On very small traffic sites (SME), I often leave this out as I find the performance boost to be negligible. However, the same cannot be said for high traffic sites.
Another popular alternative is Nginx FastCGI Cache.
Often paired with Varnish or Nginx as mentioned above, this plugin sends a request to delete (aka flush) the cached data of a page or post every time it is modified. This happens when updating, publishing, commenting on, or deleting an post, and when changing themes.
Because wordpress sites often have dynamic rendered content, caching and serving static files can speed up the delivery. Certainly, memcached is a good combination.
This probably falls under both performance & security.
Thereafter, I use Loader.IO to stress test before and after to compare performance.
Conclusion
If scaling and performance is absolutely pivotal, Laravel PHP framework might be a better option. I find WordPress easy for quick deployments with tons of customized extensions available at your fingertips, but it comes at a cost- bloated & cluttered mess.