WordPress is a convenient tool to run web properties but unfortunately, it comes with a curse:
If left unintended, WordPress can be a high-risk platform.
And I mean by high-risk platform that WordPress is and will be targeted by hackers to exploit any vulnerability they find, "every single time".
Unless they are stopped.