Finally, fix wordpress malware protection will also tell you that there is not any htaccess from the directory. You can put a.htaccess file into this directory if you wish, and you can use it to control access from IP address to the directory or address range. Details of how to do this are available on the net.
Don't make the mistake of believing that your hosting company will have your back so far as visit site WordPress copies go. Not always. It's been my experience that the hosting company may or may not be doing backups while they say they do. Take that kind of chance?
One step you can take is to delete the default administrator account. This is important because if you don't do it, a user name which they could try to crack is already known by malicious user.
Upgrade if you aren't running the latest version of WordPress. Leaving your site is like keeping your door unlocked when you leave for vacation.
Don't use wp_. That default is being eliminated by web hosting providers but if yours doesn't, adjust wp_ to anything else but that.