Attackers use certain exploits in software. This is a well-known fact that everyone knows throughout both the multi-media and IT-security industries.
Standard software or at least popular pieces of software everyone and their grandmother use are particularly vulnerable — think allocation of resources, the bigger the target the more attractive it seems from an attacker’s point of view.
This doesn’t mean that you needed to avoid popular software like WordPress for content management, nor avoid any other widely-used solutions. (“Security by Obscurity” does not usually cut it, anyway.) All this just explains why you might want to stay informed about existing vulnerabilities (or, if you don’t have the time or expertise for that, trust the developers to fix any security holes and simply update to the latest and “best” version).
Beyond this, you might add some common-sense measures though:
- do not use trivial passwords (no need for overly fancy ones either)
- watch your server logfiles for latest goings-on on your website
- respond accordingly, if you detect any irregularities
- these usually include login attempts to “standard user IDs” (such as admin)
- change your Administrator account to a different user ID
- avoid your own domain name as a user ID (script kiddies try to brute-force that name regularly)
- deploy some security features (most CMS-es have special security add-ons, “plugins”, or packages)
- set those packages correctly (a fire extinguisher is of no use, unless you know how to handle it)!
- make frequent backups so you can recover in case of an attack
With just a handful of common-sense procedures or reasonably easy-to-use add-ons, your website should be safe and run for years without any successful attacks or even serious-enough incidents (almost-successful attempts) whatsoever. Attackers aren’t that smart, and just stopping their most stupid attempts usually leaves them clueless and moving on to easier targets.