First, what do you mean by viruses? :)
Did you get a rootkit hooked on you? :) Or did someone stuff a backdoor into the miracle of php scripts?
In the general case, there are only 3 mass penetration methods:
1) Vulnerability in server software. (notorious heartbleed, vulnerability in bash and much more)
When using cheap shared/vps hosting - you can only hope that the host will update everything.
The solution is to rent a dedicated server and update it yourself.
By the way, it is not expensive, normal servers in hetzner start from 70 euros per month.
2) Vulnerability in logins/passwords.
Ideally, use certificate authorization only.
3) The most frequent - crooked scripts :) In mass cms, an unrealistic amount of shit code and holes generated by it.

Most likely, it’s not the hosting that matters, but the site that is on this hosting, there may be holes through which viruses enter

The theory was well described by @DmitriyEntelis In practice, for leaky scripts, systematic scanning for infection with sending soap to the admin, if something is found, helps a lot:
General scan of engine directories - maldet/clamav
Quick scan of the entire server for known dependencies and rootkits - rkhunter
Scanning of a specific engine - AI-Bolit
Protection against scanning by bots, from a simple ban by ua, for scriptkids, to setting up psad.
Continuous Intrusion Prevention Analysis - Snort
Well, keep your CMSs up to date along with plugins. In general, good server security is the joint competent work of a system administrator, programmer and security officer, but the price is appropriate, in other cases, we scan, clean, update (close the holes found) and so on in a circle.

protect not hosting, but the site and computers of those who work with it