No matter how secure your website or servers if you do not have long, complex and unique passwords then it is only a matter of time before you get hit. For server SSH logins you should ALWAYS use key based authentication and change the default SSH port from 22 to something random such as 6000.
Wordpress sites should have unique passwords that are at least 15 characters long and also it would be wise to have 2FA enabled for additional protection. Never use any form of SMS service for 2FA. All password should be unique and not used for other services such as your email account or Facebook.