fix wordpress malware removal will also inform you that there is not any htaccess within the directory. You may put a.htaccess record in to this directory if you would like, and you can use it to handle the wp-admin directory by Ip Address address or address range. Details of how you can do that are plentiful around the net.
Use strong passwords - Do your best to see this use a password, alpha-numeric. Easy to remember passwords are also easy to guess!
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make additions and changes definitely more. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup should be a minimum.
Now we're getting into matters specific to WordPress. You must rename it to config.php and modify the file config-sample.php, when you install WordPress. You will need to set up the database facts there.
Just ensure you choose a plugin that's current with release and the version of WordPress, and that you may schedule, restore and replicate.