Cloning your website is just another degree in fix wordpress malware removal that may be very useful. Cloning simply means that you have backed up your site to a completely different location, (offline, as in a folder, so as to not have SEO problems) where you can get it at a moment's notice if the need arises.
There are many ways to pull this off, and many involve re-establishing databases and more and FTPing files, exporting and copying. Some of these are very complicated, so it is imperative that you select the best one. Then you might want to check into using a Learn More Here plugin for WordPress backups if you are not of the persuasion.
This is very handy plugin, protecting you against brute-force attacks that are password-crack. It keeps track of the IP address of every login attempt. You can configure the plugin to disable login attempts when a certain number of failed attempts is reached.
Can you see that folder what if you go to WP-Content/plugins? If so, upload this blank Index.html file inside that folder as well so people can't see what plugins you have. Someone can use that to get access because if your version of WordPress is current, if you're using a plugin or an old plugin with a security hole.
There is another problem you have with WordPress. People know they also could just visit with your login form and where they can login and try a different combination of passwords and user accounts outside. So as to stop this from happening you want to set up Login Lockdown. It's a plugin that only allows users to try to login with a wrong password three times. After that the IP address will be banned from the company website server for a specific timeframe.