Install the fix wordpress malware scanner Firewall Plugin. Quit and this plugin investigates net requests with straightforward heuristics to recognize attacks that are obvious.
Also, don't make the mistake of believing that your web host will have your back as far as WordPress copies go. Not always. It's been my experience that the company may or may not be doing proper backups while they say they do. Why take that kind of chance?
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely more, if you make changes and frequent additions to your website. If you have a community of people which are in there all the time, or make changes multiple times a day, a daily backup should be a minimum.
Whitelists phrases and black based on which field they appear within. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
Software: If you've installed scripts that YOURURL.com are free like Wordpress, search Google for'wordpress security'. You will get many tips.