Installing the fix wordpress malware cleanup Scan plugin will check most of this for you, and alert you to anything that you may have missed. It will also tell you that a user named"admin" exists. That is the administrative user name. You can follow a link and find directions if you desire. Personally, I believe that a password is good enough security, and since I followed these steps, there have been no successful attacks on the blogs that I run.
Strong passwords - Do what you can to use a strong password, alpha-numeric. Easy to remember passwords are easy to guess!
Yes, you need to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely more if you make frequent additions and changes to your site. If you have a community of people which are in there all the time, or make changes multiple times a day, a backup should be a minimum.
Make a note of your new password! I recommend the paid or free version of the software *Roboform* to remember your passwords.
There is. People know where they can login and additionally they could visit with your login form and try out a different combination of passwords and user accounts. In order to prevent this from happening you need to install Login Lockdown. It's a plugin that only lets users attempt and login with a password three times. Following that look at more info the IP address will be banned from the server for a certain timeframe.