There is a general view that WordPress suffers from security vulnerabilities. That is an unfair and ill informed view and stems from people building sites without taking the necessary precautions.
All sites need to implement security protection and this is true for WordPress Websites as well.
Hackers find new ways of attacking the most secure sites, even banks and government sites. All site owners or developers have to guard against bad actors and take all reasonable precautions to put up a defense.
Here is a checklist for actions required to make WordPress Safe and unpenetrable.
For Details about each of these, scroll down.
Change Default WordPress settings
Choose a reputable theme
Choose only reputable plugins
Keep WordPress, your Themes and Plugins up to date.
Hide which credential is failing in the reset password function.
Install a backup plugin that also allow remote backups – (UpdraftPlus recommended)
Never share your login details with anyone who needs Admin access. Create a unique account with Admin access to anyone who needs it.
Keep Administrators to the minimum. Once Administrator privileges are no longer required, delete the user or change his or her role.
Make sure all users with Administrator access have paid, up to date and regular scanning malware on all devices that they may use to sign on to the site.
Make sure user Login Names do not correspond with User Names, Nick Names or display Names.
Install Disable XML-RPC-API
Install WPS Hide Login
Manage Comment settings
Install good security plugins and configure them – Wordfence recommended
Force strong passwords for Admins. (Wordfence Setting)
Force Administrators for change their password regularly. (Wordfence Setting)
These are all things you can do yourself or with minimal costs for a freelancer.
It can all be done with free plugins.
If you have taken these actions and keep things up do date you will have secured your website.