By default, the newest version of WordPress is pretty darn secure. The development team of WordPress has considered anything that might have been added to some fix wordpress malware fix plugins. Before, WordPress did have holes but most of them are filled up.
Strong passwords - Do what you can to use a strong password, alpha-numeric, with upper and lower case and special characters. Easy to remember passwords are easy to guess!
In case you ever wish to migrate your website elsewhere, such as a new you can check here web host, you'd be able to pull this off without a hitch, and also without needing to disturb your old site until the new one was set up and ready to roll.
You may extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think this plugin is a fantastic option and you can use it for free.
However, I advise that you install the Login LockDown plugin rather than any.htaccess controls. That will stops login requests from being allowed from a for an hour or webpage so after three failed login attempts. It is still possible to access your admin cell while from your office, and yet you still have protection against hackers if you accomplish this.