An unfortunate reality when it comes to the security of WordPress websites is that the people behind WordPress have engaged in years long cover up of security issues with WordPress plugins leading to far too many websites being unnecessarily hacked. We have been trying to get things changed for years, but so far the people on the WordPress side of things are more interested in covering up problems instead of taking the fairly easy step that could fix them. Also, unfortunately the rest of the security industry seems uninterested in working to get those problems fixed, maybe because that would mean less business for them.