Allow me to shoot a scare tactics your way since scare tactics appear to be what compels some people to take fix wordpress malware a little more seriously, or at the very least start considering the problem.
This is great news as it means that there is a strong community of users and developers that could further improve the platform. Whenever there is a significant group of people trying to achieve something, there'll always be people who will try to take them down.
Move your wp-config.php file one directory up from the WordPress root. WordPress will look for it if it can't be found in the root directory. Additionally, nobody will be able to read the document unless they've SSH or FTP access.
What if you go to WP-Content/plugins, can you see that folder? If so, More Bonuses upload that blank Index.html file inside that folder as well so people can not view what plugins you have. Someone can use this to get access because even if your current version of WordPress is current, if you are using a plugin or an old plugin using a security hole.
The plugin should be updated to stay current with the latest WordPress release, play nice with your plugins and have WordPress cloning and restore capabilities. The ability to clone your website (along with regular copies ) can be helpful if you ever need to do an offline website redesign, among other things.