This infographic courtesy of https://ithemes.com/2018/09/26/top-5-wordpress-security-vulnerabilities/
Here’s the text version
1. Poor Hosting
Not all web hosts are created equal, and choosing one solely on price alone can end up costing you way more in the long run with security issues. Most shared hosting environments are secure, but some do not properly separate user accounts.
2. Your WordPress Login
Your WordPress login is the most commonly attacked WordPress vulnerability because it provides a door to the inside of your WordPress site. Brute force attacks are the most straightforward method of attack that will be used to exploit your WordPress login.
3. Outdated Software
When your WordPress site is running outdated versions of plugins, themes or WordPress, you run the risk of having known exploits on your sites. Updates aren’t just for new features or bug fixes — they can also include important security patches for known exploits.
4. PHP Exploits
Exploiting PHP code is a common method used by hackers to gain access to your WordPress site, so it is crucial you reduce the risk by limiting exploit opportunities. Uninstall and completely delete any unnecessary plugins and themes on your WordPress site to limit the number of access points and executable code on your website.
5. Installing Software From Untrusted Sources
Only install software that you get from WordPress.org, well known commercial repositories or directly from reputable developers. Avoid “nulled” versions of commercial plugins because they can contain malicious code.
BONUS: Running Non-SSL Sites
Adding an SSL certificate to your website ensures that only the intended recipients can view sensitive information like login credentials, form submissions and even billing information. Luckily, unencrypted communication is one of the easiest WordPress security vulnerabilities to mitigate. Your host should provide a service to add an SSL certificate or you can add the SSL certificate on your own.