It depends on many different aspects. Most importantly is you don't go with a bad host. Misconfiguring your server is a big mistake. Now to secure your WordPress we would give a list to go through that is very simple noting very hard.
1- Make sure to set up WordPress correctly either using their documentation or via your host provided script we at How Tekno provide 1 Click Install for 400+ Apps.
2- Make sure the permissions are set up correctly.
3- It is recommended to have the database locally such as localhost unless you know what you are doing you can configure it the way you like. For example local switch or Vswitch etc.
4- Make sure to have plugins for brute force etc.
5- Have a good password on your user/s
6- For extra security whitelist only your IP to access the admin page. Careful you need a static IP or a VPN connection with a static IP. For consumer internet, the best way is to use a VPN normally even a VPN to your own VPS since VPN providers might change the IP.
7- Go to your WordPress admin panel and make sure to check the health check the comes built-in with WordPress.
Further steps might be required but this list should be enough to get you started.
By defaults, it can be attack in some ways but no easy to hack WordPress. If you want to secure it, you need to improve or increase security for your WordPress site by configuring some things around it, as protect your wp-admin, change username of admin, secure your hosting server...etc.
No, you cannot lock down a website 100%. Even a static website can be hacked. But will it be worth it?
I like to use a certain CMS that allows me to design as if I am designing a static site, and doesn't require that I give credit for the package to the developers.
I am also starting to use a version of WordPress that is maintained and updated as new releases come out (so that I do not have to interrupt my busy day to do it myself), the managing host does it for me. I don't like it much, but I don't have to worry about it since it's kept-up-date and easy to login and maintain.
There are certain things you can do to avoid hacking. First, keep all your important data OFFLINE. Let your payment processor or bank maintain all the financial info. Always require a secure connection. Keep private customer info OFFLINE and backed-up (but not in the cloud, unless someone has an impossible to break encryption for your backups... usually an encrypted backup service dedicated to the task). Maintain tight security at the office (and home). Sign-up for a website security program and website backups at your host just in case, so you can recover very quickly.
It really shouldn't be that scary. Remember that most hackers gain access by asking employees the strange questions they might need to break a password: What's your favorite number? What's your son's/daughter's/pet's name? When did you graduate? ...so require that everyone use crazy letter/number/symbol jumbles and pay for their password safe/manager on their phone/tablet/computer to make sure they always have it and it remains safe.
Always keep the software updated, though. WordPress especially is crazy with bugs (like Windows, and like Mac).
Undoubtedly, WordPress Website security is one of the major concerns of almost every developer on this planet. It's because there are so many hackers around us and therefore, developers have the fear of getting hacked anytime. To avoid the malicious attack on your website you have to think a step further because the security of your website is the most prioritized concern, which you cannot overlook anyhow.
Use our checklist for the foundations of good WordPress Security
1. Clean and remove spyware, malware and viruses from your PC/Mac before entering the backend of your WordPress installation
2. Backup your website before you do anything, this is easily done with the use of Backup Buddy.
3. Never use 'admin' as a username.
4. Always use a strong password.
5. Stay Updated - Ensure your WordPress Installation and WordPress Plugins are always up to date. See Latest WP Security Updates in the resources section below.
6. Limit Login Attempts - Ensure you reduce the login attempts down to around 3 attempts. Don't make it easy for the hackers.
7. Remove unwanted WordPress Themes - When themes are still on your website and they go out of date Hackers use these to gain entry. Only have the theme you are using installed and keep that up to date.
8. Spring Clean - Your WordPress website may have other folders on the root of your server. Do you really need them or are they development areas. If you don't need the folders delete them.
9. Your Hosting Company - Make sure you are using a hosting company that specialises in WordPress installations. WordPress servers need special attention to protect your website.
10. Double Layer Authentication - Use an added layer of security.
All above Tricks will ensure the security of your WordPress Website. So, what are you waiting for? Your website security is at risk and takes necessary actions to secure them as soon as it is possible.
WordPress itself is generally secure but there are of course extra precautions you can take - Most issues with WordPress are caused by outdated plugins/themes etc. Make sure you only use ones that are regularly updated and have a stong reputation.