By default, the latest version of WordPress is pretty secure. The development team of WordPress has considered anything that might have been added to any repair hacked wordpress site plugins. Before, WordPress did have holes but now most of them are filled up.
I protect an access to important files on the blog's server by putting an index.html file in the particular directory, which hides the files from public view.
Move your wp-config.php file up one directory from the WordPress root. WordPress will search for it there if it can't be found in the main directory. Additionally, nobody else will have the ability to read the file unless they have SSH or FTP access to your server.
Security plug-ins that were all-Rounder can be thought of as a full security about his checker. They scan and check the site and give you information about the weaknesses of the website.
However, I recommend that you set up the Login LockDown plugin rather than any.htaccess controls. Login requests will be stopped by that from being allowed from a certain IP-ADDRESS for an hour or so after three failed login attempts. It is still possible to access your admin cell while and yet you still have protection against hackers if you accomplish that.