Last year and a half taught us that WordPress security shouldn't be taken lightly by any means. Between 15% and 20% of the planet's high traffic sites are powered by WordPress. The fact it is an Open Source platform and everyone has access to its Source Code makes it a prey for hackers.
The fix wordpress malware attack Codex has an outline of what permissions are acceptable. File and directory permissions can be changed either via an FTP client or within the administrative page from your web host.
The one I personally recommend, and the stronger approach, is to use one of the password generation and storage plugins available for your browser. RoboForm is liked by people, but I think after a free trial period, you need to pay for it. I use the free version of Lastpass, and I recommend it for those of you who use Firefox or Internet Explorer. That will generate passwords for you; you then use one master password to log in.
Maintain control of your assets - Nothing is worse than getting your livelihood in somebody else's hands. Why take chances with something as important as your website?
Can you see that folder Imagine if you go to WP-Content/plugins? If so, upload this blank Index.html file inside that folder as well so people can not view what plugins you have. Someone can use this to get access because even if your version of WordPress is find more info current, if you're using a plugin or an old plugin using a security hole.
There is another problem you have with WordPress. People know they also could drop by with your imp source login form and where they can login and try out a different combination of passwords and user accounts. In order to prevent this from useful link happening you want to set up Login Lockdown. It's a plugin that only lets users try and login with a password three times. Following that the IP address will be banned from the server for a specific amount of time.