Okay, you got me: WordPress security isn't the sexiest way to spend your time, but it could end up being one of the most profitable! Nothing is more caustic to the lining of your stomach than having your site go down, and wondering whether or not you've lost it all.
Since scare tactics seem to be what compels some people to take fix malware problems free a bit more seriously, or at the very least start considering the problem, let me shoot a couple of scare tactics your way.
Everything you have worked for will go with it should your site's server return. You'll make no sales, get no traffic or signups to your website link site, until you get the site back up again and in short, you're out of business.
Move your wp-config.php file one directory up from the WordPress root. WordPress will search for it if it can't be found in the root directory. Additionally, nobody else will have the ability to read the file unless they've SSH or FTP access to your server.
It's really sexy to fan the flames of fear. That is what journalists and bloggers and politicians and public figures do. It's terrific for readership and it brings money. Balderdash.
Oh . And by the way, I talked about plugins. Make sure it's a secure one when you get a plugin. Do not install any plugin simply because the owner is saying on his site that plugin can allow you to do that or this. Maybe use a test blog to check the plugin, or maybe get a software engineer to analyze it. This way is not a threat for your organization or you.