Installing the repair hacked wordpress site Scan plugin alert you that you may have missed, and will check most of this for you. It will also inform you that a user named"admin" exists. That is your user name. You find directions if you desire and can follow a link. I personally believe that there is a strong password good enough security, and there have been no successful attacks on the blogs that I run since I followed those steps.
Essentially, it will all start with the basics. Attempt to use passwords. Use numbers, letters, special characters, and spaces and combine them to create a password that is special. You can also use usernames that are not obvious.
Yes, you want to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More, if at all possible. Definitely if you make changes and additions to your website. If you make changes multiple times check this site out a day, or have a community of people which are in there all the time, a backup should be a minimum.
As I (our fictitious Joe the Hacker) understand, people have way too many usernames and passwords to remember. You have got Twitter, Facebook, your online banking, LinkedIn, two blog logins, FTP, internet hosting, etc. accounts which all include logins and passwords you need to remember.
I prefer using a WordPress plugin to get the work done. Just make sure the plugin you select is in a position to do select copies, has restore and can replicate. Be sure that it is frequently updated to keep pace. There's absolutely no use in not working, and backing up your data to a plugin that's out of date.