These are some of the things we recommend you do to help secure your website.
1) Keep software/scripts up to date. You need to regularly monitor the web sites of the developers of any scripts you use. Watch for security and bug fix patches and smaller point (0.0.x) releases. You should not wait to install these. Do so as soon as you can. Hackers look for slightly outdated versions with a confirmed security flaw and try to exploit it, often on the same day a new release is out or sometimes even earlier than that.
2) Use secure passwords. We already implement password policies that require you to use a password of a certain strength, however, make sure that your password is stored securely, putting passwords on your desktop or in fact anywhere on your computer is a bad idea. Physically writing your passwords down is the best way forward.
3) Make sure your files are using the correct CHMOD Permissions. CHMOD File Permissions assign a specific value to every file/folder on your server, which allows different levels of access. CHMOD Permission range from 000 (No access) to 777 (Full access), you must decide which files get what permissions, but be warned that some third party software requires higher permissions to operate properly. You need to balance out features with security and make an informed decision.
4) Don’t use Generic Usernames. Using common words for usernames such as admin, administrator or Site Owner can cause many implications because you are simply making the job of the hacker’s a lot easier.
6) Don’t place files or directories into your site’s web root (public_html) if you aren’t actively using them. Remove old files and directories as soon as you are finished with them. A lot of people make the mistake of leaving old scripts, files, and directories in place after their site no longer needs those items. Hackers, scammers, and spammers may be able to use this old or forgotten content to compromise your site. However, they cannot exploit these things if they aren’t hosted on your site anymore.
7) Remove old accounts. Any Email Accounts, Databases, FTP Accounts, etc. should be removed once you are done with them. Why leave one more account at risk of being compromised if it isn't being used anymore?
Hopefully those tips above should give you a hand on what to do from now onwards to prevent your website being hacked.