My first step is but it helped me. I had a good old style pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And I did before I even started my website, what I should have done. And here is where I would like you to start also. Learn hacked. The thing about clean hacked wordpress site and why so many click this site people recommend because it is really easy to learn, it is. Unfortunately, that is also a detriment to the health of our sites. We have to learn how to put in a safety fence around our site.
Should the server of your site go down, everything you've worked for will proceed with this. You'll make no sales, get signups or no traffic to your site, until you get the site back up again and in short, you are out of business.
One step you can take is to delete the default administrator account. This is critical because if you don't do it, malicious user know a user name official site that they could try to crack.
Now we are getting into things. Whenever you install WordPress, you need to edit the file config-sample.php and rename it to config.php. You want to set up the database details there.
Just ensure that you can schedule, and you choose a plugin that is up to date with the version and release of WordPress, restore and clone.