By default, the newest version of WordPress is pretty darn secure. The development team of WordPress has considered anything that might have been added to any fix malware problem plugins. In the past , WordPress did have holes but most of them are stuffed up.
It all will start with the fundamentals. Attempt to use complex passwords. Use numbers, letters, special characters, and spaces and combine them to make a password that is special. You can also use usernames that aren't obvious.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. If you make frequent additions and changes definitely. If you have a community of people that Look At This are in there all the time, or make changes multiple times a day, a daily backup should be a minimum.
Another step to take to make WordPress more secure is to upgrade WordPress to the latest version. The reason behind this is that there also come fixes for security holes that are old which makes it essential to update.
However, I recommend that you set up the Login LockDown plugin in place of any.htaccess controls. From being permitted after three unsuccessful login attempts from a specific IP address for an hour login requests will stop. You can access your admin panel whilst away from your workplace, and yet you have good protection against hackers, if you do that.