Oh I see, sorry - didn't really look their code.
(Assuming this is your first VPS/dedicated server and you're on a Linux-based OS):
Now that you're on a VPS the onus is on you to keep the OS up-to-date, as well as any dependencies.
If you have a WHM account that'll simplify things greatly for you as you can do pretty much everything, short of OS & kernel updates from within the WHM admin.
If you don't already have it, utilizing CSF, logwatch, rkhunter and clamAv are good starting points.
Also disable expose_php via php.ini
Turn off Apache server tokens
If you're willing to invest a bit of time testing, mod_security as well; but you'll need to thoroughly test your cart. Out of the box a lot of rules are triggered by OpenCart.
https://www.linode.com/docs/security/se ... frequently
https://documentation.cpanel.net/displa ... -+Security
WordPress would be my first guess at entry too. Definitely keep it (and all add-ons) up-to-date & isolated.
Side note: Simply creating a separate cpanel account for the Wordpress installs won't guarantee they're isolated; make sure permissions are set properly (no chmod 777!) and disable shell access for them.