Because WordPress is open source (free), it is more vulnerable to being hacked. Hackers are less interested in taking your site down than they are in using your server to send spam emails without being detected. Your first line of defense is a secure username & password.
WordPress websites are attacked every day by hackbots trying to guess usernames and passwords. Because WordPress is open source, they know exactly how to log in. These automated hackers can make hundreds of guesses per second.
For a very long time, the default username when WordPress was installed was “admin”. That’s the very first username that hackbots will try on your site. It’s vitally important that if you have a username “admin” that you get rid of it as soon as possible. Create a new username with administrator level privileges, log out, login with the new username, and delete the “admin” user.
Your password should never be – or even contain – your domain name or username. Those are too easy to guess. A secure password contains lower and upper case letters, numerals, and symbols, and is at least 8 characters long – the longer the better.
While most people try to use a word or phrase that they can remember, you can create more complex passwords (even strings of random characters) – and have more help in creating and remembering them – by using a password manager in your browser. Three that offer their base level for free are: KeePass, Passpack or LastPass. Others with a paid level are: OnePassword, RoboForm. (Personally, I use LastPass, and pay the $12 a year so that I get access on my mobile device.)