Let me shoot a few scare tactics your way since scare tactics seem to be what compels some people to take fix hacked wordpress database a bit more seriously, or at the very least start considering the issue.
I protect an access to important files on the site's server by placing an index.html file in the particular directory, which hides the files from public view.
You also need to set the"Anyone Can Register" in Settings/General to off, and you should have some sort of spam plugin. Akismet is the old standby, the one I use, but there are many of them nowadays.
You can extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think you can use it at no cost and this plugin is a fantastic option.
However, I recommend that you set up the Login LockDown plugin rather than any.htaccess controls. Login requests will be ceased by that from being allowed from a image source for an hour or so after three unsuccessful login attempts. If you accomplish that, you can still site link access your admin mobile while and yet you still have great protection against hackers.