[Saris]

Surprisingly I've run a handful of WordPress sites for 10+ years now, some with quite a few plugins for e-commerce stuff, and haven't had any issues with sites getting hacked.

I mostly think it's due to updating quickly, generally I update the next day and manage it all with a central service, and just not using unknown plugins that don't get updates.

[calibas]

I used to fix hacked Wordpress sites, top causes were:

* Using a plugin written by a someone who has no idea how SQL injection attacks works.

* Failure to update WP/plugins after a known security vulnerability.

* Poor general security practices. Tip: don't use your domain name with the "o"s replaced by "0"s. Also, don't create a secret backdoor into your site because the owner has trouble remembering his password.

* Your web host itself has been hacked (https://www.bleepingcomputer.com/news/security/godaddy-hacke...)

[Saris]

All good points, I've seen some sites with every plugin years out of date when I've helped friends with theirs, weak passwords, that sort of thing.

I've always done my own hosting too, just a minimal setup of nginx, php-fpm, and mariadb on a 1GB RAM VPS. That way I can keep the server side up to date with security patches, instead of relying on a webhost that may not do it.

Backups run nightly offsite, and I monitor the sites with Change Detection so if a plugin update does break something or in the worst case a site gets hacked, I know fairly soon and can either fix it or roll back to a backup.