Allow me to shoot a couple of scare tactics your way since scare tactics seem to be what drives some people to take fix wordpress malware a little more seriously, or at the very least start thinking about the problem.
Safeguard your login credentials - Don't keep your login credentials where they might be found by a hacker. Store them offsite, as well as offline. Roboform is for protecting them very internet good . Food for thought!
You should also place the"Anyone Can Register" in Settings/General to away, and you should have some type of spam plugin. Akismet is the one I use, the old standby, but there are lots of them nowadays.
It's time to register for a new Facebook accounts and use this person's name and identity. After I get it all set up, I'll be emailing you posing as your friend and asking you to be friends with me on Facebook (or Twitter, or whichever societal site).
Do your homework and some searching, but if you are pressed for time and want to get this try the WordPress security plugin that I use. It is a relief to know that my website (and business!) are secure.