Cloning your site is another level in fix wordpress malware fix which may be very useful. Cloning simply means that you have backed up your site to a totally different location, (offline, as in a folder, so as not to have SEO issues ) where you can get it in a moment's notice if the need arises.
I protect an access to important files on the blog's server by placing an index.html file in the particular directory, that hides the files from public view.
Keep your WordPress Installation up to date - One of the easiest and most valuable tasks you can do yourself is to make sure your WordPress installation is updated. WordPress provides a notice in your dashboard to you, so there's really no reason to not do this.
You can extend the plugin features with premium anchor plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think you can use more it for free and this plugin is a fantastic option.
Those are three things you can do to maintain WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your whole account.