People running out-of-date themes and plugins. There are literally millions of hacks waiting to happen and the bad guys can get step by step instructions on how to hack your site.
Answer: Update your site bi-weekly or when an exploit that effects plugins you are using is released.
Sadly enough most WordPress installs have the same old “admin” user that came with it by default. Even sadder the top 5 passwords for 2015 were
If this sounds familiar remember the vast majority of people also recycle the same passwords between accounts so its a big issue.
Answer: Please use a password manager that creates and autofills and change them on a semi consistent basis.
Improperly configured server/hosting.
Insecure permissions especially on image directories.
Improperly set index options opens up file listings and indexing of directories https://wiki.apache.org/httpd/DirectoryListings (lookup google hack)
Answer: Set your files to 664, directories to 755, htaccess to 400.
Here is an htaccess I use for my WordPress sites that might help some.
Don’t have backups.
Answer: Keep backups for 60 days there are a plethora of plugins and services out there. Suggest some in the comments.
Don’t have anyone monitoring or watch the site on a regular basis.
Answer: Install Word fence (A personal favorite) . Configure it to scan your site, and to compare your WordPress core files and plugins again the repository.
How to Configure the Wordfence Security Plugin for WordPress
Wordfence security plugin is a Complete Anti-Virus and Firewall Package for your WordPress install. It not only…
Insecure theme or custom coding.
Answer: Get a professional to do an audit.