The most vulnerable moment for any hot wallet is the moment you enter your password!!! After that moment is the real exposure ! So my advice is :  After  every time you use password and finish your transaction -just go ofline  and change your password...So the password remain  virgin all the time! I think that is good practice.

 Of Course the cold storages is the best and also use VPN  is recommended!