I back up my blogs frequently using a free plugin WP DB Backup. I can restore my blog to the last 13, if anything happens. I use WP Security Scan free plugin to scan my blog and WordPress Firewall to block requests that are suspicious-looking to fix hacked wordpress site.
Don't make the mistake of believing that your web host will have your back so far as WordPress copies go. Not always. It has been my experience that the hosting company may or may not be doing proper backups while they say they do. Why take that kind of chance?
1 step you can take is to delete the default administrator account. This is critical because if you do not do it, malicious user know a user name that they could try to crack.
Now we are getting into matters specific to WordPress. You have to rename it to config.php and modify the document config-sample.php, when you install WordPress. You need to set up the database facts there.
I prefer to use a WordPress plugin to visit their website get the work done. Make sure that the plugin you choose is in a position to do copies that are select, has restore functionality, and can clone. Be sure it is often updated to keep pace with all versions of WordPress. There is no use in not functioning, and backing up your data to a plugin that's out of date.