The fix wordpress malware scanner Codex has an outline of what permissions are acceptable. File and directory permissions can be changed either via an FTP client or within the administrative page from your hosting company.
Protect your login credentials - Do not keep your login credentials where a hacker might locate them. Store them off, and even offline. Roboform is good for protecting them, too. Food for thought!
What is the best solution you should pick? Out of all the possible choices you can make, which one should you choose and which one is right for you specifically at the moment?
What if you visit WP-Content/plugins, can you see that folder? If so, upload that blank Index.html file inside that folder as well so people can not see what plugins you might have. Because even if your version of WordPress link is up to date, if you're using a plugin or an old plugin using a security hole, then someone can More Help use that to get access.
However, I advise that you install the Login LockDown plugin instead of any.htaccess controls. From being permitted after three failed login attempts from a specific IP address for one hour, login click site requests will stop. You can access your panel while away from your workplace, and yet you still have great protection against hackers, if you do that.