You can try like this:

<ScrollView
        android:layout_width="match_parent"
        android:layout_height="wrap_content">

        <TextView
                android:layout_width="wrap_content"
                android:layout_height="20pt"/>

</ScrollView>

it depends what you have in there. If all sorts of Joomla ancient versions with a bunch of third-party components, it won't help. First figure out how it broke.

You can easily restrict access through htaccess,
if it’s not broken through the admin panel, then it won’t help.

Will closing the admin panel by ip increase security, no doubt yes. Whether it will protect against hacking that has already been - it is impossible to say.
Imagine a gate in a field. Will putting a good lock on them help? Yes, if someone breaks through these gates. But a rare hacker is a sheep. And by closing the gate for him, you will force him to look for workarounds.

Controlling everything that people write in forms on the site will definitely solve the problem. Hacking a site through a form is a fairly popular method of hacking, and it is very typical for simple sites.
By restricting admin access by IP address, you can protect yourself, but this will not help if you have other holes on the site.
Here is the article - read it.

Restricting entry by whitelisting ip is not the best idea, because. if you yourself want to log in with an ip that is not in the list, then nothing will work.
One option is to limit the number of failed admin logins from one ip. If I'm not mistaken, the client's ip with a properly configured server should be in the $_SERVER['REMOTE_ADDR'] variable.
Those. when logging in, it will be necessary to check the number of unsuccessful logins for today from a given address, and if the limit is exceeded, then block the login attempt.
In this case, it is advisable to choose a complex password.
But this will only protect against brute-forcing the administrator password. If you have XSS somewhere on your site and the cookie login is checked, then the login could be with an administrator cookie. Those. if you go to a page of your site with admin cookies where, due to XSS, you placed javascript that steals cookies, then your cookies are already far away, but after changing the password, everything should be ok again. An output in that case - sessions. The only problem is that after closing the browser, it will be necessary to log in every time. It's harder to steal a session.
XSS is solved through ubiquitous output filtering via html purifier and the like.
If your site uses OAuth, then there is a completely different approach, but the meaning is about the same.
It's also important to close unnecessary ports, hide everything except 80 behind port knocking, and be sure to use strong passwords for everything. ssh sftp
Once upon a time there was such a rumor that the crooked total commander steals passwords from ftp if it is used to connect via ftp. I don't know if this is true or not. do not use.
If, due to bad server settings after hacking, the attackers got full access to the server, then it is easier to change the hosting.
From VPS I recommend digitalocean or hetzner. So you get full control over the server, which allows you to configure according to all the rules.