I've had two WordPress blogs hacked into formerly. That was in a time when I was doing virtually no online marketing, and until I found time to handle the situation (weeks later), these sites were penalized at the major search engines. They weren't eliminated the ratings were reduced.
Installing the fix wordpress malware attack Scan plugin will check most of this for you, and alert you that you might have missed. Additionally, it will inform you that a user named"admin" exists. Needless to say, that is the user name. You can follow a link and find directions for changing that name, if you desire. I personally think that a strong password is good protection, and because I followed these steps, there have been no successful attacks on the several blogs that I run.
The one I recommend, and the stronger approach, is to use one of the generation and storage plugins available on your browser. RoboForm is liked by people, but I think after a free trial period, you need to pay for it. I use the free version of Lastpass, and I recommend it for those who use Firefox or Internet Explorer. That will generate secure passwords for you; you use one master sites password to log in.
It represents a necessary task while it's an odd term : creating a WordPress copy of your website to work on offline, or in case something should go amiss. We're not only being obsessive-compulsive here: servers go down every day, despite their claims of 99.9% uptime, and if you've had this happen to you, you know the fear is it can cause.
Note that this step for setups should only try. If you might like to do it you'll also need to change all the table names within the database.
Implementing all of the above will take less than an hour to complete, while making your WordPress site more resistant to intrusions. Over 1 million WordPress websites were last year, mainly due to preventable security gaps. Have yourself prepared and you're likely to be on the safe side.