fix wordpress malware attack will even tell you that there's no htaccess in the wp-admin/ directory. You can put a.htaccess file within this directory if you desire, and you can use it to control access by IP address to the wp-admin directory or address range. Details of how to do this are available on the net.
The one I recommend, and the stronger approach, is to use one of the creation and storage plugins available on your browser. I believe after a free trial period, you need to pay for it, although people like RoboForm. I use the free version of Lastpass, and I recommend it for those who use Firefox content or Internet Explorer. That will generate passwords for you.
There's a section of config-sample.php that's headed"Authentication Unique Keys." There are four definitions which appear within the block. There is a hyperlink within that section of code. You need to enter that link in your browser, copy the contents which you return, and then replace the keys you have with the unique, pseudo-random keys provided by the site. This makes it harder for attackers to automatically generate a"logged-in" cookie for your site.
Security plug-ins that were all-Rounder can be considered as a security checker that was complete. They scan and check the entire website and provide you with information about the probable weaknesses of the website.
Do your homework and some hunting, but if you're pressed for time and need to get this try out the WordPress safety plugin that I use. It is a relief to know that my website (and company!) are secure.