Finally, fix malware problems free will tell you that there's not any htaccess from the directory. You can put a.htaccess file if you wish, and you can use it to control access to the wp-admin directory from IP address or address range. Details of how to do that are available on the net.
I protect an access to important files on the blog's server by putting an index.html file in the particular directory, that hides the files out of public view.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely more if you make additions and changes to your site. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup Continued should be a minimum.
Can you view that folder Imagine if you go to WP-Content/plugins? If so, upload this blank Index.html file inside that folder as well so people can not view what plugins you have. Because even if your version of WordPress is up to date, if you're using a plugin Click This Link or an old plugin with a security hole, someone can use this to get access.
You do not always think about needing security, when your site is new but you do need to protect yourself and your investment. Having a site go down and not being able to restore it quickly can mean a big loss of consumers who won't remember to search for your website again later and can't find you. Don't let that happen to you. Back up your site after you get it started, as the website is operational, and schedule frequent backups for as long. That way, you will have peace and WordPress security of mind.