I back my blogs regularly using a plugin WP DB Backup up. I will always restore my website if anything happens. I use my site to be scanned by WP Security Scan plugin that is free frequently and requests to be blocked by WordPress Firewall to fix wordpress malware fix.
Don't depend on your internet host - Many people depend on their web host to"do all that technical stuff for me", not realizing that sometimesthey don't! Far better to have the responsibility lie instead of out.
One thing you can take is to delete the default administrator account. This is critical because if you do not do it, site web a user name which they could try to crack is known by malicious user.
If you aren't running the latest version of WordPress, upgrade today. Like maintaining your door unlocked when you leave for vacation leaving your site on an old version is.
These are three things you can do to maintain WordPress safe without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your entire account.