Additionally, it is important to change your password and admin username if someone will help you with your site and needs admin username and your password to login to perform the work. Admin username and your password changes after all the work is finished. Someone in their company may not be even if the person is trustworthy. Better to be safe than sorry!
The fix wordpress malware removal Codex has an outline of what permissions are acceptable. Directory and file permissions can be changed either through an FTP client or within the page from your web host.
There are ways to pull this off, and many involve re-establishing databases and more and FTPing files, exporting and copying. Some of them are very complicated, so it's imperative that you select the right one. If you're not of the persuasion that is technical, then you may want to look into using a plugin for WordPress backups.
Yes, you want to do regular backups of your website. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make changes and frequent additions to your site, definitely. If you make changes multiple times a day, or have a community of people that are in there all the time, a backup should be a minimum.
Another step to take to make WordPress secure is to always upgrade WordPress to the latest version. The main reason for this is that there also come fixes for old security holes which makes it essential to update early.
Just make sure you decide on a plugin that is current with release and the version of WordPress, and that browse around this site you can schedule, restore imp source and clone.