It's also important to change your password and admin username if someone helps you and needs your admin and password username to login to do the work. Admin username and your password changes after all of the work is finished. If the person is trustworthy, someone in their company may not be. Better to be safe than sorry!
By default, the latest version of WordPress is pretty darn secure. Anything which may have been added to any fix wordpress malware removal plugins has been considered by the development team of WordPress . Before, WordPress did have holes but most of them are filled up.
A simple way is to use a few tools that are built-in. First of all, don't allow people run a web host security scan to list the documents in your folders and automatically backup your web hosting account.
There is a section of config-sample.php that is headed"Authentication Unique Keys." There are four definitions that appear within the block. A hyperlink is within that part of code. You need to enter that link in your browser, copy the contents which you return, and then replace the keys you have with the unique, pseudo-random keys provided by the website. This makes it harder for attackers to automatically create a"logged-in" cookie for your website.
Black and whitelists pathological-looking phrases based on which field they look inside. (unknown/numeric parameters vs. known article bodies, remark bodies, etc.).
Do your homework and some searching, but if you're pressed for time and need to get this done once and for all, try the WordPress safety plugin that I use. It's a relief to know that my site (and company!) visit homepage are secure.