Ultimately, fix wordpress malware attack will inform you that there is no htaccess within the directory. You can place a.htaccess record into this directory if you want, and you can use it to handle the wp-admin directory by Ip Address address or address range. Details of how you can do that are plentiful around the internet.
The more powerful approach, and the one I recommend, is to use one of the password creation and storage plugins available for your browser. Lots of people like RoboForm, but I think after a free trial period, you need to pay for it. I use the free version of Lastpass, and I recommend it for those of you who use Firefox or Internet Explorer. That will generate passwords for you; you then use one master password to log in.
You also need to place the"Anyone Can Register" in Settings/General to off, and you should have some type of spam plugin. Akismet is the old standby, the one I use, but there are many of them these days.
Security plug-ins that were all-Rounder can be considered as a full security checker. They give you information concerning the probable weaknesses of the website and check my source scan and check the whole site.
Using a plugin for WordPress security makes sense. WordPress backups will need to be performed on a regular basis. Do not become a victim of not being proactive because!