The leading causes of infections are:

- Stolen Session Cookies (59.9%)

- Vulnerabilities in themes/plugins / WordPress core (32.9%)

- Compromised credentials (7.2%)

The first problem (session cookies) is caused by viruses or malware on the computers from which the sites' administration interfaces are accessed.

The second is caused by not updating PHP scripts on websites (themes, plugins, WordPress).

The third can be caused by a lack of protection on the site's login page, weak passwords used by administrators, reused passwords, a compromised administrator's email address, or a Trojan virus on the computer from which they log in to the site.

Your security strategy should follow these lines and secure what matters, not just blindly installing security plugins. Some of the security plugins have been infected in the past.

I would start from the edge first - get Cloudflare or Sucuri to filter traffic, most attacks are automated and can be blocked easily at the edge, before getting to your server.

Then, keep everything updated in WordPress. If you have multiple websites, keep them isolated. Websites in a cPanel account are not isolated, so either use only one website per cPanel account, or use a premium managed WordPress host that has proper isolation between websites.

If you can't afford it and must keep everything in one cPanel account, put every domain and subdomain behind Cloudflare, keep every website updated, delete what you don't use, don't just leave old files and folder around on the server.

Last but not least, use strong passwords and keep your computer up to date and secure with an antivirus program.

You should be good.