I have had two WordPress blogs hacked into previously. That was at a time when I was doing almost no internet advertising, and until I found time to deal with the situation (weeks later), these sites were penalized at the main search engines. They were not eliminated the ratings were reduced.
Installing the fix malware problem Scan plugin alert you that you might have missed, and will check all this for you. It will also tell you that a user named"admin" exists. That is your user name. If you desire, you can follow a link and find directions for changing that title. I personally think that a strong password is enough protection that is good, and there have been no successful attacks on the blogs that I run since I followed those steps.
Truth is, if a capable master of this script targets your website, there is no way. What you are about to read below are some measures you can take to minimize the threat to an acceptable level. Odds are a hacker would prefer choosing easier victim, another if your WordPress site is well protected.
Yes, you need to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. If you make changes and additions to your website, definitely. If you make changes multiple times a day, or have a community of people that are in there all the time, a daily backup should be a minimum.
Another step to take to make WordPress secure is to upgrade WordPress to the latest version. The this content reason behind this is that with every new update there come fixes for old security holes which makes it essential to update.
However, I advise that you set up the Login LockDown plugin as opposed to any.htaccess controls. Login requests will be stopped by that from being permitted from a specific IP-ADDRESS for this link an hour or so after three unsuccessful login attempts. It is still possible to access your cell while image source and yet you still have good protection against hackers, if you accomplish that.