[jeroenhd]

Assuming you use unique passwords for your services, I think the crackability of a password isn't too big of a risk. You need to find a password dump somewhere for a specific website. I'd wager that most WordPress instances have only a few (if more than one) users in their database, you won't easily find a WordPress dump with a million passwords in it.

With an admin password you can probably upload some executable code, but if you can find a database dump online I doubt you'll have too much effort exploiting a WordPress plugin anyway.

[9dev]

You do realise 70% of the web is powered by Wordpress, including huge communities and platforms? That most people do not, in fact, use unique passwords per service? That password dumps are easy to find online? That haveibeenpwnd is a thing?

Just because Wordpress plugins are notoriously bad quality, you absolutely shouldn’t be lax with password security.