Last year and a half taught us that WordPress security shouldn't be dismissed by any means. Between 15% and 20% of the world's high traffic websites are powered by WordPress. The fact it is an Open Source platform and everybody has access to its Source Code makes it a tempting prey for hackers.
The fix hacked wordpress Codex has an outline of what permissions are acceptable. File and directory permissions can be changed either via an FTP client or within the page from your web host.
I protect an access to important files on the blog's server by putting an index.html file in the particular directory, that hides the files from public view.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More. If you make frequent additions and changes definitely. If you make changes multiple times a day, or have a community of people that are in there all the time, a backup should be a minimum.
BACK UP your site and keep a copy on your own computer and off-site storage. For those who have a very active website, back. You spend a lot of money and time on your site, do not skip this! Is BackupBuddy, no additional plug-ins back up plugins, widgets, your documents and database. Need to move your website this will do it!
Those are three see here now simple things you can do to maintain WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your entire account.