I have had two WordPress blogs. That was in a time when I was doing almost no online advertising, and until I found time to handle the situation (weeks later), these sites were penalized at the main search engines. They weren't eliminated, no matter how the evaluations were reduced.
Finally, installing the fix hacked wordpress site Scan plugin alert you to anything that you might have missed, and will check all this for you. It will also inform you that a user named"admin" exists. Of course, that is your user name. You find directions for changing that name, if you wish and can follow a link. I personally think that there is a password good security, and there have been no attacks on the blogs that I run, since I followed those steps.
The one I recommend, and the approach, is to use one of the password creation and storage plugins available for your browser. I believe after a trial period, you have to pay for it, although Lots of people like RoboForm. I use the free version of Lastpass, and I recommend it for those of you who use Internet Explorer or Firefox. That will generate secure passwords for you; then you use one master password to log in.
Yes, you need to do regular backups of additional reading your website. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. Definitely more, if you make changes and additions to your site. If you make changes multiple times every day, or have a community of people that are in there all the time, a backup should be a minimum.
Another step to take to make WordPress secure is to upgrade WordPress. The reason behind this is that there also come fixes for security holes that are old which makes it essential to upgrade early.
These are a few. Thing is they don't need much time to do. These are also simple options, which can be done easily.