The most vulnerable moment for any hot wallet is the moment you enter your password!!! After that moment is the real exposure ! So my advice is : After every time you use password and finish your transaction -just go ofline and change your password...So the password remain virgin all the time! I think that is good practice.
Of Course the cold storages is the best and also use VPN is recommended!