Allow me to shoot a scare tactics your way since scare tactics appear to be what drives some people to take fix wordpress malware virus a little more seriously, or at the very least start considering the problem.
No software system is resistant to bugs and vulnerabilities. Security holes will be discovered and guys will do their best to exploit them. Keeping your software up-to-date is a good way once security holes are found because their products will be fixed by Continued software vendors that are reliable.
Yes, you want to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if at all possible. Definitely more, if you make additions and changes to your site. If you have a community of people which are in there all the time, or make changes multiple times a day, a backup should be a minimum.
You can extend the plugin features see this with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think this plugin is a good option and you can use it at no cost.
There is. People know where they can login and they also could just visit your login form and try outside a different combination of user accounts and passwords. So as to prevent this that site from happening you need to install Login Lockdown. It is a plugin that lets users try to login with a password three times. After that the IP address will be banned from the server for a specific timeframe.