Allow me to shoot a scare tactics your way since scare tactics appear to be what compels some people to take clean hacked wordpress site a bit more seriously, or at least start considering the issue.
Don't make the mistake of believing that your web host will have your back as far as WordPress backups go. Not always. While they say they do, it's been my experience that the company may or might not be doing backups. Take that kind of chance?
This is quite handy plugin, protecting you against brute-force attacks that are password-crack. It keeps track of the IP address of every failed login attempt. You can configure the plugin to disable login attempts for a range of IP addresses when a certain number of attempts is reached.
Another step to take to make WordPress more secure is to always upgrade WordPress to the latest version. The reason for this is that with every update there come fixes for security holes that are old making it essential to upgrade.
However, I recommend additional hints that you install the Login LockDown plugin as opposed to any.htaccess controls. That will stops login requests from being allowed from a specific IP-ADDRESS for an hour or so after three failed login attempts. If you accomplish that, it is still possible to access your cell while and yet you have good protection against hackers.