The fix hacked wordpress site Codex has an outline of what permissions are acceptable. File and directory permissions can be changed either via an FTP client or within the administrative page from your web host.
No software system is resistant to vulnerabilities and bugs. Security you can check here holes will be found and guys will do their best to exploit them. Keeping your software up-to-date is a fantastic way once security holes are found because their products will be fixed by reliable software sellers.
Yes, you want to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make regular additions and changes to your site, definitely. If you have a community of people that are in there all the time, or make changes multiple times a day, a backup should be a minimum.
What's the best way? Out of all of the possible choices that are available today, which one is appropriate for you their website and which path should you choose?
Those are three very simple things you can do to maintain WordPress safe without plugins. Set a blank Index.html file in your folders, run your web host dig this security scan and backup your whole account.