Since scare tactics appear to be what drives some people to take fix wordpress malware attack a little more seriously, or at the very least start considering the problem, let me shoot a scare tactics your way.
There are numerous ways to pull off this, and a lot of them involve re-establishing much more and databases and FTPing files, exporting and copying. Some of them are very complex, so it is imperative that you select the right one. Then you might want to look into using a plugin for WordPress backups, if you are not of the persuasion.
Yes, you want to do regular backups of your site. I recommend at least a weekly database backup website here and a monthly "full" backup. More, if at all possible. Definitely if you make frequent additions and changes to your website. If you have a community of people which are in there all the time, or make changes multiple times a day, a backup should be a minimum.
Can you see that folder Imagine if you visit WP-Content/plugins? If so, upload that blank Index.html file inside that folder as well so people can't see what plugins you might have. Someone can use this to get access because if your version of WordPress is up to date, if you are using a plugin check this or an old plugin with a security hole.
I prefer to use a WordPress plugin to get the job done. Make sure the plugin you select is able to do backups, has restore and can clone. Be sites sure it is often updated to keep pace. There's absolutely no use in not functioning, and backing your data up to a plugin that is out of date.