Ultimately, fix wordpress malware cleanup will inform you that there is no htaccess inside the directory. You may place a.htaccess record in to this directory if you want, and you can use it to manage usage of this wp-admin directory from Ip Address address or address range. Details of how you can do this are plentiful around the internet.
Also, don't make the mistake of thinking that your hosting company will have your back as far as WordPress copies go. Not always. It has been my experience that the hosting company may or might not be doing proper backups while they say they do. Take that kind of chance?
Harness Scanner goes through the files on your website database, comment and place tables in search of anything suspicious. It also notifies you for plugin names that are odd. It doesn't remove anything, it warns you for threats.
Phrases that were whitelists and black based on which navigate to this site area they appear within. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
Utilizing a plugin for WordPress security just makes great sense. Backups will need to be carried out on a regular basis. Do not become a victim of not being proactive about your own site because!