Cloning your website is another degree in fix wordpress malware virus which may be useful. Cloning simply means that you have backed up your site to a totally different place, (offline, as in a folder, in order to not have SEO issues ) where you can get it at a moment's notice if the need arises.
If you're among the ones that are proactive, I might find it a little more difficult to crack your password. But if you're one of those reactive ones, I might get you.
Recently, an unknown hacker hacked the site of Reuters and posted a news article. Since Reuters is a news website, their reputation is already ruined anonymous due to what the hacker did. If you do not pay attention on the security of your WordPress 20, the same thing may happen to you.
You can extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think you can use it at no cost and this plugin is a good option.
Those are three very simple things you can do to keep WordPress safe without plugins. Put a blank Index.html file in your folders, run your web here host security scan and backup your whole account.