Since scare tactics appear to be what compels some people to take fix wordpress malware a little more seriously, or at least start thinking about the problem, let me shoot a scare tactics your way.
No software system is resistant to bugs and vulnerabilities. Security holes will be found and guys will do their websites best to exploit them. Keeping your software up-to-date is a good way to stave off attacks, once security holes are found, because their products here are the findings will be fixed by reliable software vendors.
Recently, the site of Reuters was murdered by an unknown hacker and posted a news article that was fake. Their reputation is already destroyed because additional reading of what the hacker did, since Reuters is a news site. The same thing may happen to you if you don't pay attention on the security of your WordPress blog.
You can extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. I think this plugin is a fantastic choice and you can use it at no cost.
However, I recommend that you set up the Login LockDown plugin as opposed to any.htaccess controls. That will stops login requests from being permitted from a for an hour or so after three unsuccessful login attempts. If you accomplish this, you can still access your mobile while and yet you have great protection against hackers.