Keep headers/logos under 125 pixels high. It takes up valuable viewing space, especially for laptop users, that is best left for the good stuff to appear"above the fold" Take a cue from the big companies, simple logos done well say it all. This is our #1 pet peeve - screaming logos and headers!
Cloning your website is another degree in fix wordpress malware removal that can be very useful. Cloning simply means that you've backed up your site to a completely different location, (offline, as in a folder, in order to not have SEO problems) where you can access description it in a moment's notice if necessary.
Protect your login credentials - Don't keep your login credentials where they might be found by a hacker. Store them offsite, as well as offline. Roboform is for protecting them good , too. Food for thought!
This is quite useful plugin, protecting you against brute-force password-crack strikes. It keeps track of the IP address of every failed login attempt. You can configure the plugin to disable login attempts for a selection of IP addresses when a certain number of attempts is reached.
Whitelists pathological-looking phrases and black based on which area they appear within. (unknown/numeric parameters vs. address known post bodies, comment bodies, etc.).
Do not use wp_ as a prefix for your own databases. Web hosting providers are removing that default but if yours does not, adjust wp_ to anything else but that.