I back up my blogs using a plugin WP DB Backup. If anything happens I will restore my website to the last settings. I use WP Security Scan plugin that is free to scan my site regularly and WordPress Firewall to block requests that are suspicious-looking to fix wordpress malware plugin.
The approach, and the one I recommend, is to use one of the generation and storage plugins available on your browser. I think after a trial period, you need to pay for it, although RoboForm is liked by people. I use the free version of Lastpass, and I recommend it for those who use Internet Explorer or Firefox. That will generate secure passwords for you; you then use one master check out this site password to log in.
Exploit Scanner goes in search of anything suspicious through the files on your site post, comment and database tables. You are also notified by it for plugin names. It doesn't remove anything, it warns you.
Take note of your new password! I suggest the free or paid version of the software *Roboform* to remember your passwords.
Those are three very simple things you can do to keep WordPress secure without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your entire account.