Keep headers/logos under 125 pixels high. It takes up valuable viewing space, especially for laptop users, that is best left for the good stuff to appear"above the fold." Take a cue from the big companies, simple logos done well say it all. This is our #1 pet peeve - screaming logos and headers!
By default, the latest version of WordPress is pretty secure. The development team of WordPress has considered anything which may have been added to any fix wordpress malware attack plugins. In the past , WordPress did have holes but most of them are filled up.
Don't make the mistake of thinking that your hosting company will have your back as far as WordPress backups go. Not always. It has been my experience that the company may or may not be doing backups, while they say that they do. Why take that kind of chance?
Exploit Scanner goes through the files on your site comment database and place tables. It informs you for blog here plugin names that are unusual. It does not remove anything, it warns you.
Install the WordPress Firewall Plugin. This plugin investigates web requests to identify and stop attacks.
However, I recommend that you install the Login LockDown plugin rather than any.htaccess controls. That will stops login requests from being allowed from a specific IP-ADDRESS for an hour or so after three failed login attempts. It is still possible to access your admin cell while and yet you still have protection go to my site against hackers, if you accomplish that.