(1) Ranges of addresses can be blocked in .htaccess, yes. Steel yourself, then Search here for .htaccess, then look also consider looking at Apache.org itself for extensive documentation.
(2) Report that specific address to your server's support, they can block it system wide.
(3) In your hosting control panel, password the admin/ (sub)directory, so that there's a dual challenge, the server's and the OC admin panel's, for access to the log-in screen. Minor inconvenience, consider increase in security.
(4) Set the encryption key for typically 64, 128, 256 digits (fewer will work) of alphanumeric gibberish.
(5) Delete those files. Executable .jpg (and .png, etc.) files are themselves an immediate flag that they are bad. Images do not "execute" except in .gif and .png animations (and more sophisticated counterparts), which perforce amble through a stack or sequence of frame differences. If that happens on your own local machine, ensure that they are deleted (empty the Recycle Bin or Trash, flush the anti-whateverware vaults). On a server, deleting them will pretty well kill them dead-dead.
(6) Require strict (such as preassigned) registration for uploading, and password affected (sub)directories the same way as the admin/ (sub)directory, for some semblance of peace of mind. Uploading from the public is an inherent vulnerability. Check it frequently for bad files. Make them request a user/pass combination, daily, weekly, whatever won't drive you nuts. Whatever they're being allowed to upload, think through whether you really want them to be able to do that.
(7) Changing mission-critical usernames and passwords is a standard precaution. Be sure that they are properly encrypted (Apache itself and reliable others provide encryption executables, *.exe). Be sure to have a reference text or piece of paper for the time when you've, um, forgotten your, um, keys.
(8) Yes, there is more, but let's pause there.