fix hacked wordpress database will even tell you that there is not any htaccess from the directory. You can put a.htaccess file if you wish, and you can use it to control access from IP address to the directory or address range. Details of how to do this are readily available on the internet.
Protect your login credentials - Don't keep your login credentials where a hacker might find them. Store them offsite, and even offline. Roboform is good for protecting them, also. Food for thought!
Yes, you want to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make changes and frequent additions to your website, definitely. If you have a community of people which are in there all the time, or make changes multiple times every day, a daily backup should be a minimum.
Phrases that were whitelists and black based on which area they look within. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
However, I recommend that you install the Login LockDown plugin as opposed to any.htaccess controls. That will stops login requests from being permitted from a for an hour or so after three unsuccessful login attempts. If you accomplish this, you can access your mobile while Our site from your office, and yet you have good protection against hackers.