fix wordpress malware scanner will tell you that there is not any htaccess from the wp-admin/ directory. You can put a.htaccess file if you desire, and you can use it to control access from IP address to the directory or address range. Details of how to do that are available on the internet.
There are numerous ways to pull this off, and many of them involve copying and FTPing files, exporting and re-establishing databases and much more. Some of these are very complicated, so it is imperative that you select the one that is best. Then you might want to check into using a plugin for WordPress backups if you're not of the persuasion that is technical.
Yes, you want to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make additions and changes definitely more. If you have a community of people that are in there all the time, or make changes multiple times a day, a backup should be a minimum.
As I (our fictitious Joe the Hacker) know, people have far too many usernames and passwords to remember. You've got Twitter, Facebook, your online Find Out More banking, LinkedIn, two site logins, FTP, web hosting, etc. accounts which all include logins and passwords you will need to remember.
There is. People always know they could visit your login form and where they can login and try a different combination of passwords and user accounts outside. In order to stop this from happening you need to set up Login Lockdown. It's a plugin that allows users to attempt and login with a wrong password three times. After that the IP address will be banned from the server for a specific amount of time.