I back up my blogs using a plugin WP DB Backup. I will restore my website to the 13, if anything happens. I use my site to be scanned by WP Security Scan plugin that is free frequently and WordPress Firewall to block asks that are suspicious-looking to repair hacked wordpress site.
Protect your login credentials - Do not keep your login credentials where a hacker might find them. Store them off, and even offline. Roboform is for protecting them very good . Food for thought!
Move your wp-config.php file one directory up from the WordPress root. WordPress will search for it if it cannot be found in the root directory. Additionally, nobody will be able to read the file unless they have FTP or SSH access to your server.
Take note of your new password to the next time you sign this content in! I recommend the version of the secure software *Roboform* to remember your passwords.
These are three simple things you can do to keep WordPress safe without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your whole account.