Malware, malware, malware and security

Really need some help and direction. We recently had a few malware attacks that infiltrated our htaccess file. We have 1100 users, and this redirect was really inappropriate.

Can anyone suggest some best practices for a WMPS install that will make our installation the MOST secure? Keep in mind that many of our users are 7/8 years old and up- and we'd like to make things as simple for them as possible. Long captcha codes do not work for the young ones.

We have the latest version of WP. We were using WP Total Cache- and we suspect that the malware attack was a vulnerability in that- not sure.

The MS has also been running a little slow- and we've been trying to speed things up. Your help and direction are very much appreciated.

What are your best practices?

Thanks!