The fix wordpress malware removal Codex has an outline of what permissions are okay. Directory and file permissions can be changed either through an FTP client or within the page from the web host.
A simple way would be to use a few built-in tools. First of all, don't allow people run a web host security scan, to list the documents in your folders and automatically backup these details your whole web hosting account.
Recently, the site of Reuters was murdered by an unknown hacker and posted a news article that was fake. Since Reuters is a news site, their reputation is already ruined because of what the hacker did. The same thing may happen to you if you don't pay attention on the safety of your WordPress blog.
Whitelists phrases and black based on which field they look within. (unknown/numeric parameters vs. known article bodies, comment bodies, etc.).
However, I advise that you set up the Login LockDown plugin rather than any.htaccess controls. That will stops login requests from being allowed from a specific IP-ADDRESS for an hour or so after three unsuccessful login attempts. You can access your mobile while from your office, and yet you have protection against hackers if you accomplish this.