how to fix hacked wordpress site will tell you that there's no htaccess from the directory. You may put a.htaccess file if you wish, and you can use it to control access to the directory from IP address or address range. Details of how to do this are readily available on the internet.
The one I recommend, and the more powerful approach, is to use one of the generation and storage plugins available for your browser. I think after a free Discover More trial period, you need to pay for it, although people like RoboForm. I use the free version of Lastpass, and I recommend it for those who use Firefox link or Internet Explorer. That will generate secure passwords for you.
For me it's a WordPress plugin. They are drop dead easy to set up, have all the functions you need for a task like this, and are relatively cheap, especially when compared to having to employ someone to have this done for you.
As I (our untrue Joe the Hacker) understand, people have far too many usernames and passwords to remember. You have got Twitter, Facebook, your online banking, LinkedIn, two blog logins, FTP, web hosting, etc. accounts which all include logins and passwords you need to remember.
Using a plugin for WordPress security just makes sense. WordPress backups need to be performed on a regular basis. Don't become a victim of not being proactive about your own site because!