The fix wordpress malware removal Codex has an outline of what permissions are okay. File and directory permissions can be changed through an FTP client or within the page from the hosting company.
There are many ways to pull off this, and many involve copying and FTPing files, exporting and re-establishing much more my response and databases. Some of them are very complicated, so it's imperative that you go for the one that is right. If you're not of the persuasion that is technical, then you may want to look into using a plugin for WordPress backups.
This is quite handy plugin, protecting you against brute-force password-crack strikes. It keeps track of the IP address of every login attempt. You can configure the plugin to disable login attempts for a selection of IP addresses when a certain number of attempts is reached.
Another step to take to make WordPress address secure is to always upgrade WordPress. The reason for this is that there come fixes for old security holes making it essential to update.
These are three simple things you can do to keep WordPress safe without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your entire account.