Finally, clean hacked wordpress site will also tell you that there is not any htaccess in the wp-admin/ directory. You can put a.htaccess file within this directory if you wish, and you can use it to control access by IP address to the wp-admin directory or address range. Details of how to do that are available on the net.
I might find it a little more difficult to crack your password, if you're one of the ones that are proactive. But if you're among those ones, I might get you.
One thing you can take is to delete the default administrator account. This is important because if you do not do it, malicious user already know a user name which they could attempt to crack.
You can extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. I think you can use it and this plugin is a fantastic choice.
I prefer to find more use a WordPress plugin to get the job done. Make sure that the plugin you select is able to do backups that are select, has restore and can replicate. Be sure visit this page that it is frequently updated to keep pace. There is no use in not working, and backing up your data to a plugin that is out of date.