Here is an example of how you can set up a back up system for a Drupal web site with Drush. Daily backups are kept for a week, after which they are deleted, and the weekly, full backups are deleted after 30 days. This script comes with no warranties of any kind, as always, test thoroughly before using it.
Drupal has a flood protection feature, which bans a user after a number of failed login attempts:
"Drupal 7 prevents brute force attacks on accounts. It blocks login by a user that has more than 5 failed login attempts (within six hours) or an IP address that has more than 50 failed login attempts (within one hour)."
When you update Drupal core, the .htaccess file is overwritten with the latest version. This also means that any www redirects in that file are lost, and you have to re-apply them, which is annoying, and a problem if you forget to do it after updating. The reason why it is important to only show URLs with OR without www. in front of them, is to avoid what Google considers duplicate content.