Cloning your website is just another degree in fix malware problems free that can be very useful. Cloning simply means that you have backed up your site to a totally different place, (offline, as in a folder, in order not to have SEO problems) where you can access it in a moment's notice if the need arises.
Also, don't make the mistake of believing that your web host will have your back as far as WordPress copies go. Not always. It's been my experience that the hosting company may or may not be doing proper backups, while they say that they do. Take that kind of chance?
You should also set the"Anyone Can Register" in Settings/General to away, and you should have some sort of spam plugin. Akismet is the one I use, the old standby, but there are lots of them these days.
What if you visit WP-Content/plugins, can you see that folder? If so, upload that blank Index.html file inside that folder as well so people can not view what plugins you might have. Because if your version of WordPress is current, if you're using an old plugin or a plugin using a security hole, then someone can use that to get access.
When your website is new, you do not always think about needing security but you do need to protect your investment and yourself. Having a site go down and not being able to restore it quickly can mean a loss of click resources customers who can't find you and won't remember to search for your site later. Don't let that happen to you. Back up your site after you get it started, as the site is operational, and schedule frequent backups for as long. That way, you will have WordPress security and peace of mind.