You may well have heard all the buzz online about the attacks on WordPress security. Unfortunately this is no joke, and it needs to be taken very seriously, or all you've built could be hijacked or worse, lost to you.
Allow me to shoot a few scare tactics your way since scare tactics seem to be what compels some people to take fix malware problem a bit more seriously, or at the very least start considering the problem.
Everything you have worked for will go with it should your website's server return. You'll make no sales, get signups or no traffic to your website, until you have the site back up again and in short, you're out of business.
You should also set the"Anyone Can Register" in Settings/General to away, and you should have some sort of spam plugin. Akismet is the old standby, the one I use, but there are many of them these days.
As I (our fictitious Joe the Hacker) know, people have way too many usernames and passwords to remember. You've got Twitter, Facebook, your online banking, LinkedIn, two blog logins, FTP, internet hosting, etc. accounts that all come with logins and passwords you will need to remember.
These are three very simple things you can do to keep WordPress safe without plugins. Set a blank Index.html file in your folders, run your web basics host security scan and backup your entire account.