Install the fix wordpress malware cleanup Firewall Plugin. This plugin investigates net requests with WordPress-particular heuristics that are straightforward to identify and quit attacks that are most obvious.
Everything you have worked for will go with it should your site's server return. You will make no sales, get no traffic or signups to your site, until you have the site back up again and in short, you're out dig this of business.
Is to delete the default administrator account. This is critical because if you don't do it, malicious user already know a user name that they could attempt to crack.
Make a note of your new password! I recommend the paid or free version of the software that is secure *Roboform* to remember your passwords.
There is another problem you have with WordPress. People know they also could just visit your login form and where they can login and try a different combination of passwords and user accounts outside. In order to stop this from happening you want to set up Login Lockdown. It's a plugin that only lets users attempt and login with a password three times. After that the IP address will be banned from the server for a certain amount of time.