fix wordpress malware protection will even tell you that there's not any htaccess from the wp-admin/ directory. You can put a.htaccess file within this directory if you desire, and you can use it to control access to the directory from IP address or address range. Details of how to do that are available on the net.
This is fantastic news because it means that there's a strong community of developers and users that could improve the platform. However, whenever there is a group of people trying to achieve something, there'll always be people who will try to take down them.
This is very useful plugin, protecting you against brute-force password-crack strikes. It keeps track top article of the IP address of every login attempt. You can configure the plugin to disable login attempts when a certain number of failed attempts is reached.
Imagine if you go to WP-Content/plugins, can you see that folder? If so, upload this blank Index.html file inside that folder as well so people can't see what plugins you have. Because even if your existing version of WordPress is up to date, if you're using an old plugin or a plugin with a security hole, someone can use this to get access.
I prefer to use a WordPress plugin to get the job done. Just make sure the plugin you choose is in a position to do backups, has restore and can replicate. Also be sure that it is often updated to keep pace. There is no use in not working, and backing your data up to a plugin that's out of date.