The fix wordpress malware fix Codex has an outline of what permissions are okay. Directory and file permissions can be changed through an FTP client or within the page from your web host.
No software system is resistant to bugs and vulnerabilities. Security holes will be discovered and bad guys will do their best to exploit them. Keeping your software up-to-date is a fantastic way once security holes are found because their products will be helpful hints fixed by software sellers that are reliable.
There is a section of config-sample.php that is headed"Authentication Unique Keys." There are. A hyperlink is inside that part of code. You need to enter that link into your browser, copy the contents that you get back, and then replace the keys you have with the unique, pseudo-random keys offered by the website. This makes it harder for attackers to automatically create a"logged-in" cookie for your website.
Install the WordPress Firewall Plugin. This plugin investigates web requests to recognize and prevent obvious attacks.
Don't use wp_ as a prefix for your own databases. That default is being eliminated by most web hosting providers now but if yours doesn't, adjust wp_ to anything but that.