As with any CMS - or indeed any program - WordPress has known and unknown vulnerabilities. Most known vulnerabilities are easy to protect against by updating WordPress core or your modules/themes. Some may require specific server settings but again are relatively easy to protect against. Unknown vulnerabilities are obviously harder to prevent, however proper server settings can mitigate the amount of damage and block many.
WordPress does have one large factor against it; it is very popular, hence it is a good target to search for vulnerabilities. However, that very popularity does provide a significant mitigating factor; more developers are using the code, developing with it, testing it and hence finding/fixing bugs before they can be used by malicious actors. Unfortunately many users are comfortable with day to day content changers but not with updates or security configuration. It is very easy to automatically scan sites to check what version of WordPress and quickly test for vulnerabilities.
The cheapest solution to secure your WordPress site is to learn how to do everything yourself. However that does have some negatives: takes time to learn, takes time to do the maintenance and configuration, easy to miss something if you're learning via YouTube videos or tutorials. The best solution for most users is to just hand security configuration and maintenance over to someone else. BriarMoon Design has been working with WordPress for many years and can cover all your security needs; contact us and we'd be happy to give you a quote or discuss any questions you may have.
What about the worst case scenario? That one in which your site is already hacked? There may or may not be any visible evidence of it. In some cases you may lose access or the site may have visible changes (such as ads), ransomware or you have complaints about emails you didn't send. In other cases there is no easily discernible evidence; but if examined carefully, user data is being sent somewhere or your site is being used to send spam. For example, this email:
Dear Customer, Your parcel was successfully delivered January 18 to USPS Station, but our courier cound not contact you. You can download the shipment label attached! With sincere appreciation, Peter Huber, USPS Mail Delivery Manager.
That attachment? oh yeah that just a virus. Quick look at the headers though shows it wasn't legitimately sent:
Subject: USPS parcel #01573285 delivery problem X-PHP-Originating-Script: 5500:post.php(6) : regexp code(1) : eval()'d code(17) : eval()'d code Date: Fri, 20 Jan 2017 05:09:38 +0200
Instead, that was sent by a remote, malicious actor using that site as a spam network. We have the experience removing trojans and re-securing the site to rescue yours.