I've had two WordPress blogs hacked into previously. That was in a time when I was doing almost no online advertising, and until I found time to handle the situation (weeks later), these sites were penalized in the major search engines. They weren't eliminated, no matter how the ratings were reduced.
I back up my blogs regularly using a plugin WP DB Backup. I will always restore my website to the settings if anything happens. I use WP Security Scan plugin that is free to scan my blog regularly and asks that are suspicious-looking to be blocked by WordPress Firewall to fix wordpress malware cleanup.
Don't make the mistake of believing that your web host will have your back so far as WordPress copies go. Not always. It her explanation has been my experience that the company may or may not be doing proper backups while they say that they do. Take that kind of chance?
Recently, the site of Reuters was murdered by an unknown hacker and published a news article that was fake. Their reputation is already destroyed due to what the hacker did since Reuters is a popular news website. Something similar may happen to you if you don't pay attention.
You may extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. I think this plugin is a good option and you can use it for free.
These are. Set a blank Index.html file in your folders, run your web host security scan and backup your whole account.