I don't know about you, but when I secured my WordPress site, and I researched to find out what others do to keep their blog secure, I found information I was confused. And some of the information was in fact on the top or superstitious. People told me rename this folder to rename this file and install these ten plugins. It seemed to be a lot of work and effort.
By default, the latest version of WordPress is pretty darn secure. The development team of WordPress has considered anything which may have been added to any fix wordpress malware cleanup plugins. Before, WordPress did have holes but now most of them are filled up.
Hackers don't have the power once you got all these lined up for your own security, to come to Homepage your WordPress blog. You can visit have a WordPress account that provides you big bucks from affiliate marketing.
Yes, you want to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. If you make changes and regular additions to your site, definitely more. If you make changes multiple times every day, or have a community of people that are in there all the time, a daily backup should be a minimum.
Upgrade now if you're not running the latest version of WordPress. Leaving your website is like maintaining your door unlocked when you leave for vacation.
However, I advise that you install the Login LockDown plugin instead of any.htaccess controls. From being permitted after three useful source unsuccessful login attempts from a specific IP address for an hour login requests will stop. You can still access your admin panel while and yet you have protection against hackers if you do so.