When I was in college, one of my company instructors told us students that one of the greatest hurdles to making money in business was procrastination.
Cloning, as it applies to fix hacked wordpress site, is the act of creating an exact copy of your WordPress install. What is good is that you can do it in only a few clicks. There are a number of reasons. Here are only a few.
The one I recommend, and the approach, is to use one of the password generation and storage plugins available on your browser. I believe after a trial period, you have to pay for it, although many people like RoboForm. I use the free version of Lastpass, and I recommend it for those who use Firefox or Internet Explorer. That will generate secure passwords for you; you use one master password to log in.
Harness Scanner goes through the files on your site post, comment and database tables in search of anything suspicious. It informs you for odd plugin names. It doesn't remove anything, it simply warns you for threats.
Install the WordPress Firewall Plugin. Stop and this find out here plugin investigates web requests with WordPress-specific heuristics that are easy to recognize attacks.
However, I recommend that you install the Login LockDown plugin rather than any.htaccess controls. Login requests will be ceased by that from being permitted from a specific IP-ADDRESS for an hour or so after three failed login attempts. If you accomplish that, you can still access your admin mobile while and yet you have get more protection against hackers.