Cloning your site is another degree in fix wordpress malware attack that may be very useful. Cloning simply means that you have backed up your website to a totally different place, (offline, as in a folder, in order not to have SEO issues ) where you can get it at a moment's notice if the need arises.
I might find it somewhat more difficult to crack your password, if you're one of the ones that are proactive. But if you're one of the ones that are responsive, I might just get you.
Yes, you want to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More, if at all possible. Definitely if you make changes and additions to your website. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup should be a minimum.
Another step to take to make WordPress secure is this post to upgrade WordPress to the latest version. The reason for this is that with every update there also come fixes for security holes that are old which makes it essential to update early.
However, I recommend that you install the Login LockDown plugin rather than any.htaccess controls. That will stops login requests from being permitted from a for an hour or so after three failed login attempts. If you accomplish that, you can access your cell while and yet you still have protection against hackers.