The how to fix hacked wordpress Codex has an outline of what permissions are okay. File and directory permissions can be changed through an FTP client or within the administrative page from the hosting company.
The one I recommend, and the more powerful approach, is to use one of the password generation and storage plugins available on your browser. I think after a free trial period, you need to pay for it, although people like RoboForm. I use the free version of Lastpass, and I recommend it for those of you who use Internet Explorer or Firefox. That will generate passwords for you.
So what is the solution you should choose? Out of all the options you can make, which one should you choose and which one is right for you right now?
Now we are getting into matters specific to WordPress. You must rename it to config.php you can look here and modify the document config-sample.php, when you install WordPress. You need to deploy the database facts there.
However, I recommend that you set up the Login LockDown plugin in place of any.htaccess controls. From being allowed after three failed login attempts from a specific IP address for one hour login requests will stop. You can still get into your admin panel whilst and yet you have protection against hackers, if you do that.