Since scare tactics appear to be what drives some people to take secure your wordpress site a little more seriously, or at the very least start thinking about the issue, allow me to shoot a scare tactics your way.
The approach, and the one I recommend, is to use one of the generation and storage plugins available on your browser. People like RoboForm, but I believe after a free trial period, you need to pay for it. I use the free version of Lastpass, and I recommend it for those who use Firefox or Internet Explorer. That will generate secure passwords for you; you then use one master password to log in.
You also need to place the"Anyone Can Register" in Settings/General to off, and you should have some sort of spam plugin. Akismet is the one I use, the his response old standby, but there are lots of them nowadays.
It is really sexy to fan the flames of fear. That is what journalists and bloggers and politicians and public figures do. It's terrific for readership and it brings money. Balderdash.
The plugin should be regularly updated to remain current with the latest WordPress release, play nice and have WordPress cloning and restore capabilities. The ability to clone your website (along with regular copies ) can be useful if you ever want to do an offline website redesign, among other things.