Ultimately, secure your wordpress site will also inform you that there is not any htaccess inside the directory. You can put a.htaccess record in to this directory if you would like, and you can use it to handle this wp-admin directory by Ip Address address or address range. Details of how you can do that are plentiful around the net.
Everything you've worked for will go with this should the server of your site return. You will make no sales, get signups or no visitors to your site, and in short, you're out of business until you have the site back up again.
You should also place the"Anyone Can Register" in Settings/General to away, and you ought to have some sort of spam plugin. Akismet is the one I use, the old standby, but there are lots of them nowadays.
Along with adding a secret key to your wp-config.php file, also think about altering your user password into something that is strong and unique. WordPress will tell you the strength of your password, but a great tip is to avoid phrases, use letters, and include amounts. It's also a good idea to change your password frequently - say once every six months.
Do your homework and some searching, but if you're pressed for time and need to get this done once and for all, try the WordPress like this safety plugin that I use. It's a relief to know that my website (and business!) are secure.