Cloning your site is just another level in fix malware problem that can be very useful. Cloning simply means that you have backed up your website to a totally different location, (offline, as in a folder, so as not to have SEO issues ) where you can access it at a moment's notice if necessary.
Also, don't make the mistake of thinking that your web host will have your back as far as WordPress copies go. Not always. It's been my experience that the hosting company may or might not be doing backups, while they say they do. Why take that kind of chance?
Exploit Scanner goes through the files on your website database, comment and place tables. You are also notified by resource it for plugin names. It doesn't remove anything, it simply warns you.
Black and whitelists phrases based on which field they look inside, in a page request. (unknown/numeric parameters vs. known article bodies, comment bodies, etc.).
These are a few of the things I do to secure my blogs. Great thing is that they don't require much time to do. These are also options, which can be done easily.