The fix wordpress malware Codex has an outline of what permissions are acceptable. File and directory permissions can be changed either through an FTP client or within the page from your web host.
A simple way to keep WordPress safe would be to use a few built-in tools. First of all, do not allow people to list the files run a web host security scan and automatically backup your whole web hosting account.
1 thing you can take is to delete the default administrator account. This is important because if you do not do it, a user name that they could try to crack is already known by malicious user.
Safety plug-ins can be thought of as a security checker that was check that complete. They give you information about the probable weaknesses of the site and see this scan and check the website.
Just make sure you choose a plugin that's current with release and the version of WordPress, and which you can schedule, restore and replicate.