I have had two WordPress blogs. That was at a time when I was doing virtually no internet marketing, and until I found time to deal with the situation (weeks later), these sites were penalized at the main search engines. They weren't eliminated the ratings were reduced.
In my opinion, the best way to make sure your WordPress security is through the use of a rename your login url to secure your wordpress website backup plugin. This is a relatively inexpensive, easy and elegant to use way to make certain that your site is accessible to you.
No software system is resistant to bugs and vulnerabilities. Security holes will be discovered and bad guys will do their best to exploit them. Keeping your software up-to-date is a good way to stave off attacks, once security holes are found because their products will be fixed by software vendors.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if at all possible. Definitely if you make frequent additions and changes to your site. If you make changes multiple times every day, or have a community of people that are in there all the time, a daily backup should be a minimum.
Install the WordPress Firewall Plugin. This plugin investigates web requests with WordPress-specific heuristics that are easy to recognize and prevent most obvious attacks.
However, I recommend that you set click resources up the Login LockDown plugin try this site as opposed to any.htaccess controls. Login requests will be ceased by that from being allowed from a specific IP-ADDRESS for an hour or so after three failed login attempts. You can still access your admin mobile while from your office, and yet you still have protection against hackers if you accomplish this.