By default, most hosts allow directory listing. Because there are a standard set of directories in a WordPress installation, the hacker can go directly to the directory inside your site and see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.
This is a simple but important problem to fix. You have three options:
- Place an empty file in each directory with the name INDEX.HTML or INDEX.PHP
- If you are using an Apache webserver, modify your .htaccess file
- Use a Security plugin (see the end of the series for suggestions)