Some of the basics...
Do not use single (and obvious) word or name passwords for your logins. It's amazing how often a simple rule like this is ignored. Use a password generator, or think up a not so obvious combo of words, numbers and phrases; and implement different passwords for each login you have (including your host admin account and MySQL user, if possible). If you need to keep a physical copy of passwords somewhere, don't make that taped to the monitor or stuck on a bulletin board next to your desk.
Delete all import*.php, install*.php and upgrade*.php files in the wp-admin/ directory. Though unlikely to cause problems, once WP is installed (or upgraded) and running there's no need for them. If *not* allowing user registration, wp-register.php (blog root) can be removed.
With directory permissions, typically 755 is best, though many setups (or certain directories) require 775. For files, use 644 (or 664). The goal is to not provide public write access to anything. Exceptions are to low-priority, temporary files and directories such as a cache folder, but even here there shouldn't be a need to make them publically writable. If so, something is off with the server. If your host cannot make the appropriate changes, think about a new host.