I've had two WordPress blogs. That was in a time when I was doing virtually no online advertising, and until I found time to handle the situation (weeks later), these sites were penalized at the major search engines. They were not eliminated the ratings were reduced.
The fix malware problem Codex has an outline of what permissions are okay. Directory and file permissions can be changed via an FTP client or within the administrative page from your hosting company.
You can search. If hackers suddenly hack your website, you can easily restore your website with the use of your files and change everything that has to be the original source changed.
It's a WordPress plugin. They are drop dead easy to install, have all the features you need for a task such as this, and are relatively inexpensive, especially when compared to having to employ someone to get this done for you.
WordPress is one of the platforms for sites and websites. While WordPress is pretty secure out of the box, there are always going to be individuals who wish to make trouble by finding a way to split into accounts or sites to cause damage or inject hidden spammy links. That is why it's important to make sure that your WordPress installation is as secure as possible.
Those are three simple things you can do to maintain WordPress secure without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your whole account.