WordPress is secure, as long as publishers take website security seriously and follow best practices. No software or website is completely secure. If you are connected to the Internet, you will always have vulnerabilities or ways to break in. However, wordpress infrastructure is one of the best infrastructures built and is designed to be safe from hackers and attackers.
WordPress is a very secure CMS, but like any other content management system, website or web application, it can be attacked by hackers. For many Wordpress sites, it is enough to take small steps to secure a website to prevent sites from being hacked. They work around the clock to keep WordPress secure by implementing the latest security measures, neutralizing potential security threats, identifying bugs, and releasing security update patches from time to time. There are some measures that WordPress itself suggests to its users to strengthen their websites.
While WordPress is constantly updating its core, enhanced security doesn't extend to its plugins created by third-party developers. However, the ecosystem has such an impressive reach that it is impossible to keep hackers away from WordPress sites. For that reason, it's important to note that WordPress security is much more than just a simple security plugin and secure passwords. If you're creating a new business website and you're looking for a secure CMS, there's no doubt that you've considered WordPress as an option.
Just like updating WordPress, users sometimes decide not to update themes or plugins because it could break their current settings. There are hundreds of WordPress security providers who claim that their plugin is “the best”, the most complete and “all you need”. For example, even though PHP 7 offers many security improvements over PHP 5, only ~ 33% of WordPress sites use PHP 7 or higher. Of all the hacked WordPress sites Sucuri consulted, 39.3% had outdated core WordPress software at the time of the incident.
However, if you're running a fully optimized WordPress installation, your site will run secure and scalable software. The most important step you can take to ensure that your WP site is safe from exploits is to keep the WP version and all installed plugins updated to the latest version.