By default, the newest version of WordPress is pretty darn secure. The development team of WordPress has considered anything that might have been added to any fix wordpress malware virus plugins. In the past , WordPress did have holes but now most of them are stuffed up.
Also, don't make the mistake of believing that your web host will have your back so far as WordPress backups go. Not always. It's been my experience that the company may or may not be doing proper backups while they say that they do. Why take that kind of chance?
There's a section of config-sample.php that's headed"Authentication Unique Keys." There are. A hyperlink is inside that part of code. You need to enter that link into your browser, copy the contents which you return, and then replace the keys you have my sources with the unique, pseudo-random keys offered by the site. This makes it harder for attackers to automatically generate a"logged-in" cookie for your website.
It is really sexy to fan the flames of fear. That's what journalists and bloggers and politicians and public figures do. It's great for readership and it brings money to the war chests. Balderdash.
But realize that online security is something that you really need to start thinking about. Do not just be the type that is reactive, consider steps to start today, protecting yourself. Don't let Joe the Hacker make your life miserable and turn all in creating come crashing down in a matter of moments, that you've worked hard.