Since scare tactics seem to be at least start considering the issue, or what compels some people to take fix wordpress malware attack a little more seriously, allow me to shoot a scare tactics your way.
I might find it somewhat more difficult to crack your password, if you're one of the ones that are proactive. But if you're one of the ones that are responsive, I might just get you.
Yes, you need to do regular backups of Resources your site. I recommend at least a weekly database backup and a monthly "full" backup. More. Definitely, if you make regular additions and changes to your website. If you make changes multiple times a day, or have a community of people that are in there all the time, a backup should be a minimum.
You can extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, go now DropShop etc.. So I think this plugin is a fantastic choice and you can use it.
Always keep in mind the safety of your sites depend on how you handle them. Make sure that you follow these tips to avoid exploits and hacks on websites and your own blogs.