The fix hacked wordpress database Codex has an outline of what permissions are okay. File and directory permissions can be changed via an FTP client or within the page from your web host.
Use strong passwords - Do what you can to use a password, alpha-numeric. Easy to remember passwords are also easy to guess!
Is to delete the default administrator account. This is important because if you don't do it, a home user name which they could attempt to crack is already known by malicious user.
You can extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. So I see post think this plugin is a good option and you can use it at no cost.
Change your password, or at least your WordPress password and admin username and collect and use fantastic WordPress security tips to keep hackers out!