The fix wordpress malware removal Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed through an FTP client or within the administrative page from the web host.
Use strong passwords - Do your best to use a strong password, alpha-numeric. Easy to remember passwords are also easy to guess!
This is quite handy plugin, protecting you against brute-force attacks that are password-crack. It keeps track of the IP address of every failed login attempt. You can configure the plugin to disable login attempts for a range of IP addresses when a certain number of attempts is reached.
Can you see that folder what if you visit WP-Content/plugins? If so, upload this blank Index.html file inside that folder as well so people can't view what plugins you might have. Because even if your version of WordPress is up to date, if you are using a plugin or an old plugin with a security hole, then someone can use that to get access.
Do not use wp_. Most web hosting providers are removing that default now but see it here if yours doesn't, adjust wp_ to anything else but that.