The fix wordpress malware virus Codex has an outline of what permissions are okay. File and directory permissions can be changed either via an FTP client or within the page from your web host.
I protect an access to important files on the blog's server by putting an index.html file in the particular directory, which hides the files out of public view.
Is to delete the default administrator account. This is critical because if you don't do it, a user name that they could attempt to crack is already known by malicious user.
Another step to take to make WordPress more secure is to always upgrade WordPress. The main reason for this is that with every new upgrade there also come fixes for old security holes which makes it essential to upgrade early.
The plugin should be regularly updated to stay current with the latest WordPress release, play nice with of your plugins and have WordPress and restore capabilities. The ability to clone your website (in addition to regular published here backups) can be helpful if you ever want to see here do an offline site redesign, among other things.