fix wordpress malware virus will tell you that there is no htaccess from the wp-admin/ directory. You may put a.htaccess file within this directory if you wish, and you can use it to control access to the wp-admin directory from IP address or address range. Details of how to do that are readily available on the internet.
Strong passwords - Do your best to use a password, alpha-numeric, with upper and lower case and special characters. Easy to remember passwords are also easy to guess!
Yes, you want to do regular backups see post of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make changes and regular additions to your site, definitely more. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup should be a minimum.
Now we're getting into matters. You have to rename it to config.php and alter the file config-sample.php, when you install WordPress. You need to deploy the database facts there.
Do your homework and some searching, but if you're pressed for time and want to get this done once and for all, try out the WordPress safety plugin that I use. It is a relief to know that my site (and business!) are secure.