I have had two WordPress blogs hacked into in the past. That was at a time when I was doing very little internet marketing, and until I found time to address the situation (months later), these sites were penalised in the search engines. They were not removed, but the rankings were reduced.
Installing the fix wordpress malware protection Scan plugin will check most of this for you, and alert you to anything that you may have missed. Additionally, it will inform you that a user named"admin" exists. That is your administrative user name. You can follow a link and find instructions for changing that name, if you desire. I personally think that a password is good security, and there have been no attacks on the sites that I run since I followed these steps.
Strong passwords - Do your best to use a password, alpha-numeric. Easy to remember passwords are easy to guess!
Yes, you want to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make changes and frequent additions to your site, definitely. If you make changes multiple times a day, or have a community of people that are in there all the time, a daily backup should be a minimum.
Security plug-ins that were all-Rounder can be considered as a complete security checker. They scan and check the website and give you information about the weaknesses of the site.
Those are three things you can do to keep WordPress safe without plugins. Put a blank Index.html file in additional hints your folders, run your web host security scan and backup your Source entire account.