The fix wordpress malware Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed through an FTP client or within the administrative page from the hosting company.
Use strong passwords - Do what you can to use a password, alpha-numeric. Easy to remember passwords are easy to guess!
Is to delete the default administrator account. This is important because if you don't do it, a user name that they could try to crack is known by malicious user.
Pathological-looking phrases that were whitelists and black based on which field they appear within, in a page request. (unknown/numeric parameters website here vs. known article bodies, comment bodies, etc.).
Utilizing a plugin for WordPress security just makes sense. Backups will need to be carried out on a regular basis. Do not become a victim of not being proactive about your site as a result!