I think there's been a breakdown in communication.
I believe that the host would like to know if your friend (lets call him the author) is using a fixed IP on his internet connection at home. They might like to know that, so they can restrict access to admin files only to that IP address.
Make sense now?
WordPress doesn't assign IPs, of course... but your host may want to ensure that only the author can get access to the back-end of wordpress.
All of this is a worse idea than having your host make sure that their group permissions are set correctly, and then upgrading the blog to 2.5.1 to patch any security issues present in wordpress itself.
Of course, you could do BOTH, but sitting around on version 2.3.3 once you've been hacked is probably a bad idea.
Mind you... none of this will help if you still have compromised files on there. You *must* clear out everything from the hosting space, being careful to backup media... and then re-upload fresh wordpress files and fresh copies of all your plugins.
Be careful about keeping your plugins updated too... it wouldn't be the first time someone had their "wordpress" hacked via a plugin.