The how to fix hacked wordpress Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed through an FTP client or within the page from the web host.
There are many ways to pull off this, and many of them involve re-establishing databases and much more and FTPing files, exporting and copying. Some of them are very complicated, so it is imperative that you select the best one. If you're not of the persuasion that is technical, then you might want to check into using a plugin for WordPress backups.
Move your wp-config.php file up one directory from the WordPress root. WordPress will look for it if it cannot be found in the main directory. Also, nobody else will have the ability to read the file unless they've FTP or SSH access to your server.
You may extend the plugin features with premium plugins like: Amazon S3 plugin, Members only plugin, DropShop etc.. So I think this plugin is a good choice and you can use it at no cost.
Oh browse around this site . And by the way, I was talking about plugins. Make sure it's a secure one when you get a new plugin. Don't install any plugin simply because the owner is saying on his website that plugin will allow you to do that or this. Use a test site to look at the plugin, or maybe get a software engineer to analyze it carefully. This way you'll weblink know it isn't a threat for you or your business.