[calibas]

I used to fix hacked Wordpress sites, top causes were:

* Using a plugin written by a someone who has no idea how SQL injection attacks works.

* Failure to update WP/plugins after a known security vulnerability.

* Poor general security practices. Tip: don't use your domain name with the "o"s replaced by "0"s. Also, don't create a secret backdoor into your site because the owner has trouble remembering his password.

* Your web host itself has been hacked (https://www.bleepingcomputer.com/news/security/godaddy-hacke...)

[Saris]

All good points, I've seen some sites with every plugin years out of date when I've helped friends with theirs, weak passwords, that sort of thing.

I've always done my own hosting too, just a minimal setup of nginx, php-fpm, and mariadb on a 1GB RAM VPS. That way I can keep the server side up to date with security patches, instead of relying on a webhost that may not do it.

Backups run nightly offsite, and I monitor the sites with Change Detection so if a plugin update does break something or in the worst case a site gets hacked, I know fairly soon and can either fix it or roll back to a backup.