Installing the fix malware problem Scan plugin will check all this for you, and alert you to anything that you may have missed. It will also tell you that a user named"admin" exists. Needless to say, that is the administrative user name. If you wish, you can follow a link and find directions for changing that name. Personally, I believe that a password is good security, and there have been no successful attacks on the blogs that I run, because I followed those steps.
I might find it a little more difficult to crack your password if you're one of the ones that are proactive. But if you're among those reactive ones, I might just get you.
In case you ever wish to migrate your site elsewhere, like a new hosting company, you'd be able to pull this off without Web Site a hitch, and also without needing to disturb your old site until the new one was set up and ready to roll.
Now we're getting into things specific to WordPress. Whenever you install WordPress, you have to edit the file config-sample.php and rename it to config.php. You want to install the database details there.
These are three things you can do to keep WordPress safe without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your entire account.