1. Never save the password in the browser from the hosting control panel
2. Never save the password from a user with site admin rights
3. Never save the password in programs through which you access FTP
4. Change the password at least once a month
5. Password must be [a-zA-Z0-9]
Actions that must be done now.
1. change the password for everything related to the Control Panel, Ftp, and the Control Panel on the site
2. check the site for vulnerabilities

The second point is more detailed.
Passwords, of course, changed immediately.

It is also advisable to check the files for suspicious code

After changing passwords, if possible, you should:
1) Save everything possible (full dump of code, databases and logs)
This is done for further analysis - determining the cause and details of the hack (script, date and time of hacking the site + IP of the attacker)
2) Restore the site from a backup copy (database scripts etc)
3) Analyze the saved data from point 1
4) Eliminate the vulnerability through which the site was hacked.
You can even try to upgrade to the latest version of the scripts before the analysis is completed
if you used something standard (Wordpress for example)
5) Conduct a comprehensive audit of the site for vulnerabilities
Here already look for either sensible performers or a good service.
6) At first, special attention to the server logs. the likelihood of repeated attempts to hack the site will be very high

In addition to a comprehensive audit, as advised above, I advise regular security monitoring. Roughly speaking, a service that once a week checks that you have no holes in the old code and no new code with vulnerabilities has appeared. Many scanners can do this, such as metascan or detectify .