The fix wordpress malware scanner Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed via an FTP client or within the page from the web host.
No software system is resistant to vulnerabilities and bugs. Security holes will be discovered and guys will do their best to exploit them. Keeping your software up-to-date is a fantastic way to stave off attacks, once security holes are found because their products will be fixed by software vendors.
It represents a task while it's an odd term : index making a WordPress copy of your site to work on offline, or in the event something should go amiss. We are not only being obsessive-compulsive here: servers go down every day, despite their claims of 99.9% uptime, and if you've had this happen to you, you know the fear is it can cause.
You may extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think this plugin is a good choice and you can use it.
However, I recommend that you install the Login LockDown plugin rather read this than any.htaccess controls. That will stops login requests from being permitted from a certain IP-ADDRESS for an hour or so after three unsuccessful login attempts. It is still possible to access your cell while and yet you his explanation still have protection against hackers, if you accomplish that.