I have had two WordPress blogs hacked into formerly. That was at a time when I was doing almost no online marketing, and until I found time to handle the situation (weeks later), these sites were penalized in the major search engines. They weren't eliminated the ratings were reduced.
The secure your wordpress site Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed through an FTP client or within the administrative page from the hosting company.
Everything you have worked for will go with it should the server of your site return. You will make no sales, get no traffic or signups to your website, until you get the site and in short, you are out of business.
Yes, you need to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely if you make changes and regular additions to your website. If you have a community of people that see this are in there all the time, or make changes multiple times a day, a backup should be a minimum.
Now we're getting into matters. Whenever you install WordPress, you need to edit the file config-sample.php and rename view it to config.php. You want to set up the database information there.
These are three click for source things you can do to keep WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your whole account.