The fix wordpress malware removal Codex has an outline of what permissions are okay. File and directory permissions can be changed either via an FTP client or within the administrative page from the hosting company.
Hackers do not have the power to come to a WordPress blog when you got all these lined up for your security. You definitely can have a safe WordPress account which official website gives big bucks from affiliate marketing to you.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. Definitely more if you make changes and frequent additions to your site. If you her latest blog make changes multiple times a day, or have a community of people that are in there all the time, a backup should be a minimum.
Now we're getting into matters specific to WordPress. You must rename it to config.php and modify the document config-sample.php, when you install WordPress. You need to set up the database facts there.
Using a plugin for WordPress security makes sense. WordPress backups need to be carried out on a regular basis. Don't become a victim of not being proactive about your 16, as a result!