One of the unfortunate realities when it comes to the security of WordPress these days is that the actions of the WordPress team have caused a situation where there are currently plugins with 4.23+ million installs (as of February 7, 2019) with publicly disclosed vulnerabilities, which the team not only are not warning people are vulnerable, but they continue to include in their Plugin Directory, so even more websites are introducing vulnerabilities in to their websites for no good reason.
Among those plugins are security plugins , plugins that store customer data that anyone can access, and even ones that hackers are already exploiting.
A recent article on ZDnet tells us that WordPress accounted for over 90 percent of all hacked CMS web sites last year.
But while 90 percent of all hacked sites were WordPress, most of these were running up-to-date versions. Only 36 percent of the hacked WordPress sites that were investigated ran an outdated version.
On the other hand, CMSs like PrestaShop, OpenCart, Joomla, and Magento, when found to be hacked, they almost always were running on an out-of-date version.
Please consider your choices before picking your web site platform.