Okay, you got me: WordPress security isn't the sexiest way to spend your time, but it could end up being one of the most profitable! Nothing is more caustic to the lining of your stomach than having your site go down, and wondering whether or not you've lost it all.
Finally, fix wordpress malware attack will tell you that there is no htaccess in the directory. You may put a.htaccess file into this directory if you wish, and you can use it to control access by IP address to the wp-admin directory or address range. Details of how to do this are available on the net.
Safeguard your login credentials - Don't keep your login credentials where they might be found by a hacker. Store them off, and even offline. Roboform is for protecting them good . from this source Food for thought!
Keep your WordPress Setup to date - One of the easiest and most valuable tasks you can do yourself is to make sure your WordPress installation is upgraded. WordPress gives a notice on your dashboard to you, so there is really no reason.
You can extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. I think this plugin is a good option and you can use it at no cost.
However, I advise that you set up the Login LockDown plugin in place of any.htaccess controls. From being allowed after three unsuccessful login attempts from a specific IP address for an hour, login requests will like it stop. You can access your panel while and yet you have protection against hackers if you do that.