By default, the newest version of WordPress is pretty secure. The development team of WordPress has considered anything that might have been added to any fix wordpress malware removal plugins. Before, WordPress did have holes but most of them are stuffed up.
This is great news because it means that there's a strong community of developers and users that can further improve the platform. However, whenever there is a big group there will always be people who will try to take them down.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if at all possible. Definitely if you make regular additions and changes to your website. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup should be a minimum.
Another step to take to make WordPress secure is to upgrade Your Domain Name WordPress. The reason behind this is that there also come fixes for security holes making it essential to update.
Implementing all the above will probably take less than an hour to finish, while making your WordPress website more immune to intrusions. Over 1 million WordPress websites were cracked last year, mainly due to preventable security gaps. Have yourself prepared and you are likely to be on the safe side.