julianodls Hello, I have a few suggestions here, too
1, do not use unofficial WordPress plug-ins, because the official WordPress open plug-in customization portal, anyone can modify and upload his plug-in extension code, I have encountered users because of the installation of a plug-in was extorted bitcoin
2, do not use weak passwords. If the server password is 123456, almost no cost to take down the server privileges
3, do not use the port do not release, if you need to use, please specify a certain ip to access the port
4, the panel to do a long backup, in the scheduled tasks, you can upload the backup to AWS|Google Cloud Drive, so as small as possible to reduce losses
5, if sufficient funds, we recommend the use of security software, such as our WAF firewall, Web site Tamper-proof