I have had two WordPress blogs hacked into in the past. That was at a time when I was doing very little internet marketing, and until I found time to address the situation (months later), these sites were penalised in the search engines. They were not removed, but the rankings were reduced.
Finally, fix wordpress malware will tell you that there is no htaccess in the directory. You may put a.htaccess file if you wish, and you can use it to control access to the wp-admin directory by IP address or address range. Details of how to do that are available on the net.
I might find it a little harder to crack your password, if linked here you're one of the ones that are proactive. But if you're one of those ones that are responsive, I might get you.
Yes, you need to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely, if you make regular additions and changes to your website. If you make changes multiple times a day, or have a community of people which are in there all the time, a daily backup should be a minimum.
Make a note of your password for the next time you sign in! I suggest the free or paid version of the software *Roboform* to remember your passwords.
Do your homework and some hunting, but if you're pressed for time and need to get this done once and for all, try the WordPress security plugin that I use. It's a relief to know that my website (and company!) are secure.