Even if a Wordpress Website is personal, hackers find it by way of searching for clues of life in the software itself.
As of late the new hack is a system of "hammering attacks" on the Login Page (wp-login.php and xmlrpc.php) of Wordpress websites.
Once a bot starts on yours, it doesn't stop. The damage is imminent even if they never gain access.
Of course you could remove those files, but your site won't run properly. Setting permissions to 0000 is only a temporary solution. If applied to the files it cripples the site and when applied to the site it's unseen to all.
It sounds innocuous at first, but 1000's of attempts per minute over periods of 12-24 hours eventually causes a site to top out server resources; the result is that the site turns off. Sure it'll turn back on in a day or so but the bot tends to return.
Sadly, once a site is targeted.. it suffers constant grief.
Such attacks have occurred to a few clients at COOLCOM and according to some google searches this is the number one growing issue with Wordpress Websites attacks. Left vulnerable to this kind of attack the expense of getting rid of the bot rises.
The fees to recover a site and apply fixes once it has been targeted and brought down are upward of 50.00.