The fix wordpress malware Codex has an outline of what permissions are okay. File and directory permissions can be changed either via an FTP client or within the administrative page from your web host.
Don't make the mistake of thinking that your hosting company will have your back as far as WordPress copies go. Not always. It has been my experience that the hosting company may or may not be doing backups while they say that they do. Take that kind of More Info chance?
Move your wp-config.php file up one directory from the WordPress root. WordPress will look for it if it cannot be found in the main directory. Also, nobody will have the ability to read the document unless they have FTP or SSH access.
Now we are getting into things specific to WordPress. Whenever you install WordPress, you have to edit the file config-sample.php and rename it to config.php. You need to install the database information there.
I prefer using a WordPress plugin to get the job done. Just make sure is in a position to do copies that are select, has restore performance, and can replicate. Also be sure that it is home often updated to keep pace. There's absolutely not any use in backing your data up to a plugin that is out of date, and not working.