I don't know about you, but when I secured my WordPress site, and I researched to find out what others do to keep their blog secure, I found so much information I was completely confused. And some of the information was in fact over superstitious or the top. People told me rename this folder to rename this file and set up these ten plugins. It seemed to be a lot of effort and work.
Since scare tactics appear to be at least start considering the problem, or what drives some people to take fix wordpress malware virus a little more seriously, allow me to shoot a couple of scare tactics your way.
Don't make the mistake of thinking that your hosting company will have your back as far as WordPress backups go. Not always. While they say they do, it has been my experience that the company may or might not be doing backups. Why take that kind of chance?
This is quite handy plugin, protecting you against brute-force password-crack strikes. It keeps track of the IP address of every login attempt. You can configure the plugin to disable view website login attempts when a certain number of attempts is reached.
Can you view that folder, what if you visit WP-Content/plugins? If so, upload that blank Index.html file inside that folder as well so people can't see what plugins you have. Because even if your current version of WordPress is current, if you are using a plugin or an old plugin with a security hole, then someone can use that to get access.
There are always going to be risks being online (or even just being alive!) And it's easy to get caught up in the fear. As soon as we get caught up in the fear, we put the breaks on. This isn't a reaction that is good. Simply take some common sense precautions, then forge ahead. It is going to need to be dealt with then, if webpage something bad does happen and no amount of quaking in your boots before-hand will have helped. All is good, if nothing does and you haven't made yourself ill with worry.