WordPress accounted for 90 percent of all hacked CMS sites in 2018 Backdoors found on two-thirds of all hacked sites, SEO spam on half March 5, 2019 https://www.zdnet.com/article/wordpress-accounted-for-90-percent-of-all-hacked-cms-sites-in-2018/ Website Hack Trend Report 2018 (PDF - 1.49 MB): https://sucuri.net/reports/19-sucuri-2018-hacked-report.pdf
13 Reasons Why WordPress Hacks are Successful June 25, 2019 https://www.tripwire.com/state-of-s...ection/13-reasons-wordpress-hacks-successful/ Spoiler: 13 WordPress Worst Security Practices Minimal or no WordPress maintenance (not updating core, plugin, and themes). Not backing up the database and files. Lack of malware checks, security scans, security plugins (or services) and security monitoring. Failure to limit login attempts. Failure to use sitewide SSL. The use of weak passwords. Using the default user admin account instead of using a custom name. Adding too many admins (use caution when giving user privileges). Not using two-factor authentication (2FA). Using plugins and themes from untrustworthy sources. Failure to use the latest PHP version. Failure to use a firewall. Using “cheap” low quality or shared hosting.