I've had two WordPress blogs. That was in a time when I was doing almost no internet advertising, and until I found time to handle the situation (weeks later), these sites were penalized in the major search engines. They were not eliminated the evaluations were reduced.
secure your wordpress website will tell you that there is no htaccess in the directory. You may put a.htaccess file if you wish, and you can use it to control access from IP address to the directory or address range. Details of how to do this are available on the net.
The one I recommend, and the approach, is to use one of the password creation and storage plugins available on your browser. I think after a free trial period, you need to pay for it, although people like RoboForm. I use the free version of Lastpass, and I recommend it for those of you who use Internet Explorer or Firefox. That will generate passwords for you; you then use one master password to log in.
1 step you can take is to delete the default administrator account. This is important because if you don't do it, malicious user know a user name which they best site could attempt to crack.
Take note of your new password! I suggest the version of the software visite site that is protected *Roboform* to remember your passwords.
I prefer to use a WordPress plugin to get the job done. Just make sure is able to do select copies, has restore and can clone. Be sure it is often updated to keep pace. There's absolutely not any use in backing up your data and not functioning.