Last year and a half educated us that WordPress security should not be taken lightly by any means. Between 15% and 20% of the world's high traffic sites are powered by WordPress. The fact that it is an Open Source platform and everybody has access to its Source Code makes it a prey for hackers.
Finally, fix wordpress malware protection will even tell you that there's not any htaccess in the directory. You can put a.htaccess file within this directory if you desire, and you can use it to control access to the directory or address range. Details of how to do this are readily available on the internet.
No software system is resistant to bugs and vulnerabilities. Security holes will be found and bad guys will do their best to exploit them. Keeping your software up-to-date is a good way to stave off attacks, once security holes are found because their products will be fixed by this software sellers.
You should also place the"Anyone Can Register" in Settings/General to off, and you ought to discover this have some sort of spam plugin. Akismet is the one I use, the old standby, but there are many of them these days.
As I (our untrue Joe the Hacker) understand, people have far too many usernames and passwords to remember. You have got Twitter, Facebook, your online banking, LinkedIn, two site logins, FTP, internet hosting, etc. accounts that all include logins and passwords you need to remember.
I prefer to use a WordPress plugin to get the job done. Just make sure is in a position to do copies, has restore and can clone. Be sure it is often updated to keep pace with all versions of WordPress. There's absolutely not any use in not working, and backing your data up to a plugin that's out of date.