In the latest article from Sucuri, they released some interesting data about the hacked websites they clean. 25% of the WordPress websites that were hacked were using one of three (not updated) plugins: Revslider, Gravity forms, or timthumb.
Another interesting fact: 78% of the hacked websites was WordPress. I’m confident that WordPress is as safe as any other platform, but is just very popular (about 25% of all websites are WordPress these days 78 million, with 50.000 new WP websites each day). Furthermore, when comparing with other platforms like Drupal and Magento, it is especially popular with “non-techies”, which increases the risk of lazy update management.
“In all instances, regardless of platform, the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components, not its core”
What this means is that the plugins are causing all issues. And I suspect that most issues were fixed in the plugin before the site was hacked. The following quote confirms this:
“All three plugins (Gravity forms, Revslider and TimThumb) had a fix available over a year, with TimThumb going back multiple years (four to be exact, circa 2011)”
Which shows us once more that continuous updating of your platform is one of the most powerful methods to increase security!