WordPress, on its own, is not insecure. Keep this in mind before believing any misconceptions about security of this platform.
That said, WordPress websites are prone to attacks simply because of the fact that there are so many of them (over 12 million, more than any other CMS available on the internet), and because people can be deliberately naïve about security when it fits their moods.

In this post, I’ll highlight some of the basic, but often overlooked, security mishaps-in-waiting that make your WordPress website vulnerable to attacks, in short how to improve WordPress security. Take your time and read WordPress security tips.

Admin account, usernames and passwords

WordPress login is the first access point any hacker will target. Whether they succeed or not depends on how seriously you take the first digital security advice ever of setting a strong password.

Brute force attacks (“try until you succeed”) are performed today by bots capable of attempting hundreds of logins with various combinations of letters and numbers. But there’s a catch: the more characters you have in your password, the lower is the probability of anyone cracking it.

Why? Every additional character in your password increases your login security exponentially. If your password has 10 characters, the hacker stands 1 in 210 chance of cracking it. A sufficiently strong password could take years to crack on standard hardware.

A mix of numbers, letters, and allowed characters throws brutes off the scent and makes it even more difficult for them to guess it.

Now that you understand the importance of secure passwords, here are a few more steps you can easily take to secure your admin login:

• Limit login attempts: Good security plugins like WordFence or Sucuri have that feature. This locks access to login form after a few consequent failed tries.
• Admin safety protocol: Once installation is done, make sure to create a new account (with a highly contrived username and login) and assign ‘admin’ role to that. Do NOT post content on your website from admin account.

Hosting

"As of 2013, 41% of WordPress sites were hacked via hosting provider."

Websites on shared hosts are more vulnerable for obvious reasons: one infected website can compromise all the websites on the shared server. Yep, it’s almost exactly like a zombie contagion.

There’s no known cure (except ‘restore from backup after changing servers). But you can prevent this from happening by taking some precautionary measures seriously.

• Soup Kitchen Servers: Host your precious website on a quality web host with a long, long list of trusted clientele and testimonials. Those web hosts make a point of running routine server maintenance, and that reduces chances of an attack.
• Account Isolation: Even on a shared server, this feature will block the infection from spreading to your website. Ask your web host for more details about the same.

The type of hosting also plays a bigger role than you think: VPS (Virtual Private Server) or Dedicated servers are tools for bigger businesses and slightly out of a regular Joe’s budget, but they are secure. Shared hosting providers like BlueHost and SiteGround are good. Managed Hosting like WP Engine take care of website security, so you don’t have to worry about a thing except content.

Use Plugins and Themes from Trusted sources only

First off, and this goes without saying: Do NOT paste random code snippets from obscure corners of the web in your WordPress files. Unless you know exactly what you’re doing, that’s just as dangerous (for your website) as eating out of garbage.

Secondly, and this is an extension of the previous point: When you download themes and plugins, make sure you do so from trusted sources only. Premium themes and plugins are tempting, but don’t go looking to get them for free on pirated sources. You will only make your site vulnerable to attacks from people who know how to prey on greed and gullibility.

Update and Backup

Every WordPress update gives you new features and better security. What’s not to like?

Granted, you are apprehensive about compatibility issues, and hey, if it ain’t broke, right? But previously unknown/overlooked security flaws get released to the public (with their patches) with updates. If you don’t upgrade, you are a sitting duck for attackers who now know all your weak spots.

Also: Backup. Regularly and consistently. This is your safety net in a number of complications. There are hundreds of good backup plugins. Make sure to create backups for entire site and don’t forget the database.

Endnote

The purpose of this post was to stress the importance of basic measures. Website security is a responsibility. You’re entitled to it only if you don’t jeopardize it inadvertently by being flippant about it.