The fix wordpress malware attack Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed through an FTP client or within the page from the web host.
Essentially, it all will start with the basics. Attempt to use passwords. Use spaces, numbers, special characters, and letters and combine them to make a password that is special. You could also use usernames that aren't obvious.
Yes, you need to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More, if at all possible. If you make changes and additions to your website, definitely. If you top article make changes multiple times a day, or have a community of people which are in there all the time, a daily backup should be a check out here minimum.
Safety plug-ins that were all-Rounder can be considered as a security checker that was full. They give you information concerning the possible weaknesses of the site and check and scan the website.
Do your homework and some hunting, but if you are pressed for time and want to get this done once and for all, try the WordPress security plugin that I use. It's a relief to know that my sites site (and company!) are secure.