Finally, fix hacked wordpress site will inform you that there's no htaccess within the directory. You may put a.htaccess record in to this directory if you want, and you can use it to manage usage of this wp-admin directory from Ip Address address or address range. Details of how you can do that are plentiful around the internet.
Protect your login credentials - Do not keep your login credentials where pop over here they might be found by a hacker. Store them off, and even offline. Roboform is for protecting them good . Food for thought!
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely if you make changes and additions to your site. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup should be a minimum.
Upgrade, if you aren't currently running the latest version of WordPress. Like maintaining your door unlocked when you leave for vacation, leaving your website is.
However, I advise that you install the Login LockDown plugin in place of any.htaccess controls. From being permitted after three failed login attempts from a specific IP address for one hour login requests will stop. You can still get into your admin panel while away from your workplace, and yet you have great protection against hackers, if you do that.