Files can easily get lost if you don't have good protection on your website. Some of those files might be saved on your computer and easily replaceable, but what about the rest of them? Where will you get them out of again, if you lose the first time to them? For sites that have been in operation for quite a long time, fix wordpress malware cleanup is very important. Often, long-term sites have a lot of data and have made a number of files. Recreating that all are a nightmare, and not something any business owner wants to do.
Also, don't make the mistake of believing that your web host published here will have your back so far as WordPress backups go. Not always. It's been my experience that the hosting company may or may not be doing backups while they say they do. Why take that kind of chance?
Is to delete the default administrator account. This is critical because if you do not do it, a user name which they could attempt to crack is already blog known by malicious user.
Imagine if you visit WP-Content/plugins, can you see that folder? If so, upload that blank Index.html file inside that folder as well so people can not view what plugins you might have. Someone can use this to get access because if your version of WordPress is current, if you are using a plugin or an old plugin with a security hole.
I prefer to use a WordPress plugin to get the job done. Make sure is in a position to do copies that are select, has restore and can clone. Be sure that it is frequently updated to keep pace. There is no use in not working, and backing up your data to a plugin that's out of date.