Ultimately, fix wordpress malware plugin will also inform you that there is no htaccess within the directory. You can place a.htaccess record in to this directory if you would like, and you can use it to handle this wp-admin directory from Ip Address address or address range. Details of how you can do this are plentiful around the internet.
Backup plug-ins is also important. You want to backup database and all the files you can bring your own blog back like nothing happened.
Should you ever wish to migrate your site elsewhere, such as a new hosting company, next page you'd have the ability to pull this off without a hitch, and also without having to disturb your old site until the new one was set up and ready to roll.
Can you see that folder, Imagine if you go to WP-Content/plugins? If so, upload that blank Index.html file into that folder as well so people can not see what plugins you might have. Someone can use this to get access because if your version of WordPress is up to date, if you're using a plugin or an old plugin using a security hole.
There is another problem you have with WordPress. People know where they can login and they also could just drop by your login form and try out a different combination of user accounts and passwords. So as to stop this from happening you need to set up Login Lockdown. It is a plugin that only allows users to try and login with a password three times. After that the IP address will be banned from the server for a specific amount of time.