I have had two WordPress blogs hacked into in the past. That was at a time when I was doing very little internet marketing, and until I found time to address the situation (months later), these sites were penalised in the search engines. They were not removed, but the rankings were reduced.
I back up my blogs using a plugin WP DB Backup. I can always restore my blog to the 13, if anything happens. I use WP Security Scan free plugin to scan my site and asks that are suspicious-looking to be blocked by WordPress Firewall to fix wordpress malware fix.
Strong passwords - Do what you can to use a strong password, alpha-numeric, with upper and lower case and special characters. Easy to remember passwords are easy to guess!
Move your wp-config.php file up one directory from the WordPress root. WordPress will look for it if it cannot be found in the root directory. Also, nobody will have the ability to read the file i was reading this unless they've FTP or SSH access to your server.
Now we are getting into things. Whenever you install WordPress, you have to edit the document config-sample.php and rename it to config.php. You want to set up the database information there.
However, I advise that you set up the Login LockDown plugin instead of any.htaccess controls. Login requests will stop from being permitted from a specific IP address for an hour after three failed login attempts. You may still access your admin panel while away from like this your workplace, and yet you have great protection against hackers, if you do so.