Since scare tactics appear to be at least start thinking about the problem, or what compels some people to take fix wordpress malware a bit more seriously, allow me to shoot a scare tactics your way.
I protect an access to important files on the blog's server by placing an index.html file in the particular directory, that hides the files from public view.
There's a section of config-sample.php that's headed"Authentication Unique Keys." There are four definitions which appear within the block. A hyperlink is within that section of code. You need to enter that link into your browser, copy the contents that you get back, and replace the keys you have with the unique, pseudo-random keys provided by the site. This makes it harder for attackers to automatically create a"logged-in" cookie for your site.
Can you see that folder what if you go to WP-Content/plugins? If so, upload this blank Index.html file inside that folder as you can try these out well so people can not see what plugins you might have. Because if your current version of WordPress is up to date, if you're using an old plugin or a plugin using a security hole, then someone can use that to get access.
Implementing all of the above will probably take less than an hour to finish, while creating your WordPress site much more resistant to intrusions. Over 1 million WordPress websites were cracked last year, mainly due to easily preventable safety gaps. Have yourself prepared and you're likely to be on the safe side.