Here are some advice to protect your web site.

• Install the plugin Theme Authenticity Checker (TAC) to see if there are any malware or unwanted code in the theme you have installed.
• Install a backup plugin. I use Duplicator or Duplicator Pro. Or check out Updraft Plus.
  Backup regularly and then download the backup to your machine, Dropbox etc. Your web host might also have an automatic backup and restore service available for your full account.
• Install an automatic plugin to update WordPress Core, plugins and themes. Keep your site updated! I use Advanced Automatic Updates (check the link for some other options as well).
• Install security plugins. I use Wordfence on my various sites. Another is iThemes Security.
  Check my article on security plugins and other tips.
• Use strong passwords and change them on occasion.

Account shut down e-mail from Bluehost

Just before Thanksgiving I received a pretty harsh e-mail from Bluehost mentioning they had shut down my account because of malware infection. I chatted with their support and was told of the infection and they gave me a file listing all the files that were infected. I started replacing the files with originals that I downloaded. Deleted test sites and other sites I had recently backed up.
Then suddenly remembered that Bluehost also had a backup service in place. I logged into cPanel and went to the newest backup and restored it. That worked. If you want to read the story as it unfolded I posted in the Advanced WordPress Group on Facebook. A special thanks to Brandon who really helped me a lot during the malware problem!
These guys are very active within the WordPress community and are specialists that can help:
Jim Walker – hackrepair.com
Brandon Zundel – brandonzundel.com / https://fortipress.com
wp.team
https://ioncube24.com/

Resources:
https://codex.wordpress.org/FAQ_My_site_was_hacked

https://www.broadbandsearch.net/blog/how-to-tell-website-safe-legitimate