Cloning your site is just another level in fix wordpress malware that can be very useful. Cloning simply means that you've backed up your website to a completely different place, (offline, as in a folder, so as to not have SEO issues ) where you can access it in a moment's notice if necessary.
I protect an access to important files on the blog's server by putting an index.html file in the particular directory, which hides the files from public view.
This is very handy plugin, protecting you against brute-force attacks that are password-crack. It keeps track of the IP address of every failed login attempt. You can configure the plugin to disable login attempts for a range of IP addresses when a certain number of attempts is reached.
Can you view that folder what if you go to WP-Content/plugins? If so, upload that blank Index.html file inside that folder as well so people can not view what plugins you might have. Someone can use that to get access because even if your current version of WordPress is up to date, if you're using a plugin or an old plugin with a check over here security hole.
Oh . And by the way, I was talking about plugins. Make sure it's a secure one when you get a new plugin. Don't install any plugin just because the owner is saying that plugin can allow you to do this or that. Maybe use perhaps, or a test blog to check the plugin get a software engineer to examine it. This way you'll know it is not you could check here a threat for your organization or you.