The fix wordpress malware fix Codex has an outline of what permissions are acceptable. File and directory permissions can be changed via an FTP client or within the administrative page from the hosting company.
Don't make the mistake of thinking that your hosting company will have your back so far as WordPress backups go. Not always. While they say they do, it has been my experience that the hosting company may or might not be doing backups. Why take that kind of chance?
Before you can delete the default admin account, you first must create a new user. To do this go to your WordPress Dashboard and click on User -> Create New User. Enter all the information you need to enter.
Another step to take to make WordPress more secure is to always upgrade WordPress to the latest version. The reason behind this is that there also come fixes for security holes making it essential to update early.
However, I advise that you install the Login LockDown plugin as opposed to any.htaccess controls. That will stops login requests from being allowed from a specific IP-ADDRESS for an hour or so click this link after three unsuccessful login attempts. It is still possible to access your admin mobile while and yet you have protection against hackers if you accomplish that.