The fix wordpress malware cleanup Codex has an outline of what permissions are okay. File and directory permissions can be changed via an FTP client or within the administrative page from the hosting company.
Don't make the mistake of believing that your hosting company will have your back so far as WordPress backups go. Not always. It's been my experience that the company may or may not be doing backups, while they say that they do. Take that kind of chance?
You also need to place the"Anyone Can Register" in Settings/General to off, and you should have some type of spam plugin. Akismet is the old standby, the one I use, but there are lots of them nowadays.
BACK UP your site and keep a copy on your own computer and storage. For those who have a site that is very active, back up every day. You spend a lot of time and money on your website, do not skip this! Is BackupBuddy, no back up database, widgets, plugins and your files. Need to move find your website this will do it in under a couple of minutes!
But realize that security is something you must start thinking about. Do not just be the type, consider action to begin today protecting yourself. Do not let Joe the Hacker make your life miserable and turn all that you've worked so hard in creating come crashing down in a matter of seconds.