By default, the newest version of WordPress is pretty darn secure. Anything that might have been added to some fix wordpress malware removal plugins has been considered by the development team of WordPress . In the past , WordPress did have holes but most of them are filled up.
Strong passwords - Do what you can to use a strong password, alpha-numeric, with upper and lower case and special characters. Easy to remember passwords are also easy to guess!
Before you can delete the default admin account, you need to create a new user. To do this go to your WordPress Dashboard and click on User -> Create New User. Then enter all the information you will need to enter.
You may extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think you can use it at no cost and this plugin is a good choice.
However, I recommend that you set up the Login LockDown plugin in place of any.htaccess controls. Login requests will stop from being allowed after three click resources failed login attempts from a certain IP address for one hour. You can get into your panel whilst away from your workplace, and yet you still have good protection against hackers if you do that.