Use secure passwords
Insecure passwords are the most common security vulnerability. If an account password is insecure and becomes compromised, client sites can be defaced, infected, or used to spread viruses. Secure passwords are of paramount importance if you wish to have a secure server.
- Generally, a password that utilizes at least eight characters, which includes alphanumeric and grammatical symbols, is sufficient.
- Never use passwords that are based on dictionary words or significant dates.
- If a password can be broken in a few hours, then it is probably too insecure and should not be used.
- Never use a password that you are using for other account(s) also.
Delete unused accounts
Please delete all the unused accounts including email,FTP,WordPress account, DB user etc.
Always update your script
Are you using any script like WordPress, Joomla, Drupal etc ? Make sure you have the latest version. Every version has the fix for any found bugs or issues if you are not updating the script means your account is not secure.
Install trusted plugin
Always install plugins developed by a trusted organization. Plugin may have some code that can access your account files/data.
You may use the following two factor authentication for WordPress.