I back up my blogs regularly using a free plugin WP DB Backup. If anything happens I will restore my website. I use WP Security Scan free plugin to scan my site and requests that are suspicious-looking to be blocked by WordPress Firewall to secure your wordpress site.
Also, don't make the mistake of thinking that your web host will have your back as far as WordPress backups go. Not always. It's been my experience that the company may or may not be doing proper backups while they discover here say they do. Take that kind of chance?
There is a section of config-sample.php that's headed"Authentication Unique Keys." There are four definitions which appear within the block. There is a hyperlink inside that part of code. You need to enter that link in your browser, copy the contents that you get back, and replace the keys you have with the unique, pseudo-random keys provided by the website. This makes it harder for attackers to automatically create a"logged-in" cookie for your site.
Can you view that folder Imagine if you visit WP-Content/plugins? If so, upload this blank Index.html file into that folder as well so people can not see what plugins you might have. Because even if your version of WordPress is current, if you're using an old plugin or a plugin using a security hole, someone can use this to get access.
Change your password, or admin username and your WordPress password and collect and use other good WordPress security tips to keep hackers out!