It's also important to change admin username and your password if you are helped by someone and needs admin username and your password to login to perform the job. After all of the work is complete, admin username and your password changes. Someone in their company may not be, if the man is trustworthy. Better to be safe than sorry!
Since scare tactics appear to be what compels some people to take secure your wordpress website a bit more seriously, or at the very least start considering the problem, let me shoot a couple of scare tactics your way.
Don't depend on your internet host - Many men and women depend on their web host to"do all that technical stuff for me", not realizing that sometimesthey don't! Far better to have the responsibility lie with you, rather than out.
Maintain control of your assets - Nothing is worse than having your livelihood in somebody else's hands. Why take chances with something as important as your website?
Can you view that folder what if you go to WP-Content/plugins? If so, upload this additional info blank Index.html file inside that folder as well so people can't see what plugins you have. Because if your version of WordPress is current, if you're using an old plugin or a plugin with a security hole, someone can use that to get access.
Using a plugin for WordPress security makes sense. WordPress backups need to be performed on a regular basis. Do not become a find out victim of not being proactive about your own 16, because!