The Hosting Provider is rarely the weak point. The weak point is that you did not keep up with Wordpress security updates or you bought a theme or plugin that was no longer maintained.
Secure each computer that has admin access to your website - anti-virus, anti-malware, etc.
Install the free Bulletproof Security plugin. Your main defense is your .htaccess file and many of the other “security” plugins do NOT adjust this file accordingly.
Use SFTP never FTP
Use LastPass or a similar utility to generate and save a unique complex password for EACH website you access with a username and password. Then run the LastPass Security Check to identify which sites are using the same password and then CHANGE them.
If you have multiple domains make sure EACH DOMAIN is installed in its own cPanel (you can do this with subdomains too). Then make sure the cPanel password is unique for EACH DOMAIN. Otherwise, if your cPanel password is hacked, the hacker will have access to ALL your domains (especially if you have used free Addon domains).
Make sure you always have a recent full backup, know where it is and how to do a restore BEFORE you need to.
Take advantage of all security features offered by your DNS registrar to SECURE YOUR DOMAIN NAME.
Use two factor authentication whenever possible.
Update Wordpress whenever a new update is released. It’s your site, take care of it. Updating is done via the Dashboard and is easy to do.
Update all plugins and themes as well. I advise logging into your dashboard once a day for less than 1 minute and you can stop most hacks except for the rare zero day exploit
Get an easy to remember and secure password. I told people to assemble 3 random objects on or near their desk line them up and snap a photo of them. In my case now my random objects would be cup, hammer and remote. I would move them into an easier to remember order so it would be remotecuphammer. then to make it a bit harder I would put sequential numbers in the middle of each word and then follow that with a 4 non sequential numbers I find interesting and will remember (that is not a birthday of you or your child or anyone else you know) so remote0cup1hammer1215. I know have a photo of a hammer tv remote and a cup as well as sequential numbers and a non sequential date that I find easy to remember. Do something like this but do not chose remote0cup1hammer1215 as your actual password.
If you have command line access to your site do a Maldet security scan. You can ask tech support at your webhost for assistance. We did this part for free but now some hosts charge for any kind of clean up at all.
If evidence of hack still exists like a message appears or a automatic redirect happens then grep or “search” for the keywords in your webhostng directory so if it says “[email protected] by Mr. [email protected]” then do a search for that term and edit it out whenever it appears. If there is a redirect to like pilland p-orn dot com then check your htaccess for redirects and if it still appears then do a search of all your files. I have seen hackers destroy a whole database and fill it only with redirects to other websites. if that is the case then you will have to ask your web host to restore your database to a pre-hacked version.
In short, your webhost is not to blame but they can help you. Also be sure to take off-site backups of your site and pay attention to it daily. I’ve had people who were hacked who had no idea when they were hacked because they never paid attention and web hosts keep backups at most for 2 or maybe 3 months and it is in the fine print that if no viable backup exists, you will be out of luck.