Keep your CMS secure
The most important step in doing this, is keeping your CMS and all of its plugins up-to-date. New vulnerabilities keep getting discovered, so it is of paramount importance to install the security updates that patch these as quickly as possible. Some vulnerabilities can be exploited to give total control of your webserver to attackers, or allow them to steal valuable data.
Secondly, it is strongly advised to not use the default CPANEL/ftp account, but at the very least its password should be changed. A better solution is to disable the default account and create a unique admin account with a strong password. Or better yet: 2FA enabled, if your solution allows it.
Do a yearly check on your user list, and make sure there are no remaining test users, or users added without your knowledge.
Install and enable security plugins on your CMS (and keep them up-to-date!), such as for example WordFence for Wordpress, or similar plugins that prevent brute-forcing and common web attacks such as SQL injection.
Lastly, directory browsing should be disabled, as this makes it trivial for attackers to find your data using simple google searches.