When it comes down to it, it’s not the WordPress site itself but the people managing the WordPress site that have both the best chance of preventing a hack and the best chance of causing one.
The two most common reasons I see behind WordPress hacks are:
Weak Admin Passwords: A quick Google search will turn up lists of the most common passwords and they’re depressingly simple ones. If someone gets the admin login for your site, they essentially have the keys to the kingdom. Thankfully, WordPress is now enforcing stronger password generation in core but weak passwords continue to be a big factor behind hacks. If you have even the slightest suspicion that your admin password may be too easy to guess, change it. Change it now.
Lack of Maintenance: WordPress is open-source software and like any other software, it needs maintenance to ensure it keeps running smoothly & securely. Frequently WordPress minor releases include security patches or hardening that are worth implementing on your site in a timely fashion. Plugins, just like WordPress core, also require maintenance. Just recently, multiple security issues were found in Visual Composer that required an update to patch. Often, if sites are left unattended for months or years without running any of these updates, they’re at high risk. Attacks on these vulnerabilities frequently aren’t targeted as specific sites, they’re targeted as specific vulnerabilities and they crawl looking for sites that have this weakness that can be exploited.
So outside of ensuring you have a strong admin password and regularly updating WordPress core and its plugins, what else can be done?
First, ensure you’re making regular backups of your entire WordPress site. I personally love VaultPress and BackUpBuddy. If you do fall victim of a hack, it becomes a minor roadbump vs. a site ruiner.
Finally, you should read the article in the Codex on Hardening WordPress and consider what additional WordPress security measures may be right for your project.