By default, the newest version of WordPress is pretty darn secure. Anything that might have been added to any fix malware problem plugins has been considered by the development team of WordPress . Before, WordPress did have holes but now most of them are stuffed up.
There are many ways to pull this off, and a lot of them involve copying and FTPing files, exporting and re-establishing much more and databases. Some of these are very complex, so it's imperative that you select the one that is right. Then you may want to look into using a plugin for WordPress backups if you're not of the persuasion that is technical.
You should also set the"Anyone Can Register" in Settings/General to off, and you should have some sort of spam plugin. Akismet is the old standby, the one I use, but there are lots of them these days.
Security plug-ins that were all-Rounder can be considered great site as a security checker. They scan and check the whole website and provide you with information about the weaknesses of the website.
There is another problem you have with WordPress. People always know where they can login and they could visit with your login form and try a different combination of passwords and user accounts out. In order to prevent this from happening you want to install Login Lockdown. It's a plugin that lets users attempt and login with a wrong password three times. After that the IP address will be banned from the server for a specific amount of time.