From Josh at GetaHostNow.com

TOP WAYS TO KEEP YOUR SITE SECURE

This is NOT in order of importance.
1. Install SSL security license (I give you one for free.)
2. Keep your WordPress website version up to date
3. Keep your plugins up to date (remove and replace ones that are not supported or compatible with your WP version)
4. Keep your Theme up to date
5. Backups, and more backups. OFF SERVER. The Updraft Plus plugin will let you connect to Google Drive (15 GB of storage!) When you log into WP, do a backup, afetr you make changes, do a backup. Always pays to be safe.
6. Make all passwords STRONG and update them a couple times per year to be safe. (cPanel Pass and WP pass)
7. Install Security plugins: Wordfence (a WP firewall) and Sucuri (hardens the site, and monitors all changes) or something comparable. THe settigns can be a bit challengins, but its not impossible to configure. I can advise/consult with you privately if needed as there are a lot of settings.
8. Do not store Credit Card, Social Security on your site if you can possibly avoid it!

Any thing that seems weird or unusual that might indicate a hack – IMMEDIATE call your web host.

Now what you are really probably wondering…

AFTER AN ATTACK – WHAT YOU CAN DO

Based on cleanup article:  https://fixmysite.com/website-blacklist-removal/
Your web host is the first person/company that can offer assistance after an attack. A great web host will go into lock-down mode until the problem is resolved.

IMPORTANT TOOL: Sucuri Site Scanner (FREE!) – https://sitecheck.sucuri.net is a free site scanner tool, the results of the scan can be linked to, so once one your domain test clean, save that URL.
Assuming you or your webhost has already changed your passwords to prevent bad guys from logging in, and that your site is scanning as clean, these tips should help if your site was blacklisted.

IMPORTANT TOOL: Blacklist (email) checker – https://mxtoolbox.com/blacklists.aspx

1.) Google: https://search.google.com/search-console/about
This is where webmaster register their domain and verify that they own it. (Requires a meta tag or a html file they give you uploaded to your root folder) It is the BEST way to inform Google that a compromised site is now clean. Make sure to provide the link to the Sucuri scan show the domain is clean. can take up to 72 hours.

2.) Norton: https://safeweb.norton.com/ (requires a verification file or meta tag added to site)
Anti-virus company who maintains their own blacklist.

3.) McAfee: https://www.trustedsource.org/
You may request also request that McAfee Review of domain – link to your Sucuri scan results when requesting review (as proof)

4.) ESET Removal (if needed, Sucuri site scan will tell you): Manually request removal with proof
Anti-virus company who maintains their own blacklist.

5.) https://postmaster.google.com/u/0/managedomains?pli=1
Requires Cpanel. When adding a TXT record to DNS, the domain is written: yourdomain.com.
The code they tell you to paste in (“enter text” area) MUST be in quotes
our web host can always help with this.

6.) Request help if emails with your site links get blocked at this Google Forum:
https://productforums.google.com/forum/#!forum/gmail use https://sitecheck.sucuri.net/results/yourdomain.com (as proof)

Another useful tool if you are analysing the IP addresses of who is visiting your website…

REVERSE IP to find where unusual site visitors are from:
https://www.melissa.com/lookups/iplocation.asp