Installing the fix wordpress malware plugin Scan plugin will check all this for you, and alert you that you may have missed. Additionally, it will inform you that a user named"admin" exists. That is your administrative user name. If you desire, you can follow a link and find directions for changing that title. I think that a password is enough security that is good, and there have been no successful attacks on the sites that I run since I followed those steps.
I protect an access to important files on the blog's server by putting an index.html file in the particular directory, which hides the files out of public view.
You should also place the"Anyone Can Register" in Settings/General to away, and you should have some type of spam plugin. Akismet is the old this contact form standby, the one I use, but there are many of them these days.
You can extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think this plugin is a good option and you can use it.
However, I recommend that you install the Login LockDown plugin in place of any.htaccess controls. From being allowed after three failed login attempts from a specific IP address for one hour login requests will stop. You can still access your panel whilst away from your workplace, read and yet you have great protection against hackers, if you do that.