rename your login url to secure your wordpress website will tell you that there's no htaccess from the directory. You can put a.htaccess file into this directory if you desire, and you can use it to control access to the directory or address range. Details of how to do that are readily available on the internet.
Do not depend on your Web host - Many people rely on their web host find here to"do all that technical stuff for me", not realizing that sometimes, they don't! Far better to have the responsibility lie instead of out.
What is? Out of all the options you can make, which one should you choose and which one is ideal for you specifically at the moment?
What if you visit WP-Content/plugins, can you see that folder? If so, upload this blank Index.html file inside that folder as well so people can't see what plugins you have. Someone can use this to get access because if your version of WordPress is up to date, if you are using a plugin or an old plugin with a security hole.
Of course you can install plugins to make your store more user-friendly like automated plugin or share buttons. That's all. Your store is up and running!