Since scare tactics appear to be at the very least start considering the problem, or what drives some people to take fix hacked wordpress site a bit more seriously, allow me to shoot a scare tactics your way.
Don't depend on your internet host - Many people depend on their web host to"do all that technical stuff More about the author for me", not realizing that sometimes, they don't! Far better to have the responsibility lie instead of from your control.
You should also place the"Anyone Can Register" in Settings/General to off, and you ought to have some sort of spam plugin. Akismet is the one I use, the old standby, but there are lots of them these days.
Install the WordPress Firewall Plugin. Prevent and this plugin investigates web requests to recognize attacks.
However, I recommend that you set up the Login LockDown plugin as opposed to any.htaccess controls. That will stops login requests from being permitted from a for an hour or so after three failed login attempts. You can access your mobile while from your office, and yet you have great protection against hackers if you accomplish this.