There are quite a few reasons why your website can be vulnerable. In more general terms it has to do with how much up-to-date it is, your password level of sophistication, your web hosting environment and your behaviour. As far as your website is concerned, here is a list of the most common reasons :
WordPress core Updatability
WordPress as a whole regularly gets updated by its creators. This is done in order to fix bugs and patch security holes as well as bring new features to the end-user. Your wordpress’s version should be the latest so to be sure that this is not a source of doubt for your security.
The problem here is that when having wordpress updated to the latest version always, there are some plugins and themes that may break due to incompatibilities with this latest version of wordpress. If you built your website in a clean and non-code-intrusive way, this chance should be minimal.
Most new-age web hosting companies, do allow you to set your wordpress installation to be automatically updated to newer versions which is a really nice feature to have and leverage when it comes to security.
WordPress plugins, being one of the major sources of decreased security, should always be updated to their latest versions. There is no shortage of examples of very popular plugins being used to infect websites due to security holes found on them.
What happens is that a security vulnerability is recognized on a plugin, the creator ( usually ) patches the plugin in time but the website managers and owners do now go in to update that plugin. In such cases, the version of the plugin installed on that website is vulnerable and can be utilized for malicious purposes.
Remember that if you don’t update a plugin for a long time, then its next update could result in breaking your website due to incompatibilities. You should perform regular updates to your plugins.
The theme you use on your wordpress website is very important to how your website works, its not only about the looks of your website. Themes generally add “stuff” to wordpress websites deeper than just in the website’s looks. So if a theme is not updated two bad things happen at the same time, the theme is becoming older and maybe more vulnerable and at the same time less able to be updated at a later stage, due to backwards compatibility.
There are website developers and designers that either use themes that are not properly purchased and they don’t have a license which will allow them to be updated or use themes that are badly built and maintained. In such cases, the theme’s updatability will become a big problem both for a security and for the overall updatability of your wordpress website.
Another case is here that some website developers edit the theme in such a degree that it becomes virtually un-updatable ( because by updating all custom edits will be overwritten by the updated files ) and this a common situation.
Administrator username, password and access
When logging into your administrator’s area on your wordpress website, you use a username and a password. The less complex those are the more possible to hack your website it is. Choosing a strong password is critical these days. You shouldn’t remember your password, you can write it in a piece of paper and use it from there. The easier the password to remember, the weaker it is.
Also, most wordpress websites on the planet do have the same administration login URL : /wp-admin which if we know, attackers know too. Wouldn’t it be “smarter” to take this out of the equation by changing wp-admin to something else so people cannot guess it? Applying such simple but “smart” fixes is part of a security practice called “Security through Obscurity” which aims at creating misleading breadcrumbs for an attacker to follow, leading them somewhere else than where they were intending to go, thus making it more difficult to carry out the task.
Bad hosting environment
The web hosting environment your website runs from is critical to your website’s security, speed, user experience and more. Choosing a web hosting environment which is optimized for wordpress and its suppose staff knows how to answer about security is essential. Not all web hosting vendors do know how to come around wordpress security issues, not all do know what’s important for wordpress security server-side.
Bad file permissions on your web hosting package
Another source of “bad security” is the permissions of your folders and files on your web server. Folders should be 755 and file should be 644, what this means, we will see later on in this document.
No matter how much security you have, there is always the rule of the “middle man”. In most “rock start” popular cases of hacking, not a system and not an algorithm made an error, it was a human being that did something wrong. For instance, if you have your admin area login info store in an SMS on your phone, someone steals your phone and gets in your web server, is an example of the “middle man” problem with security everywhere.
Take care of where and how you save your passwords, who you share your passwords with, who you add as an admin user to your wordpress website, who has which rights on your site and also if this person knows about security too. There’s no real reason for you do apply all that security when at the same time your fellow administrators do not, if you don’t get hacked, they will and the result will be the same.