A few years ago, my one wordpress site got hit by a hacker that redirected traffic to a "Congratulations! You are the winner of a [iPhone/$1000/Whatever]" site.
It took a long time to find the hack and eliminate it. It was probably a brute force/dictionary attack because I had a really simple password that I used a lot of other places. Two terrible ideas.

I switched web hosts over the last three days (site5 has failed me and I'm not going to be renewing) 66513 files - about 9GB - downloaded, backed up and uploaded took about 7 hours. Then getting the databases to work with the wordpress sites was a bit of a chore. Installing and forcing SSL, recreating all my email addresses and forwarders, etc. Three days of mind-numbing work, whew.

That all brings me back to the wordpress CMS. I had forgot how many hacking attempts that I get. After the initial successful hack, I installed two-factor authentication and the WordFence plugin. After seeing how many hacking attempts were thwarted via email, I eventually shut off the notifications.

I did get less chinese attempts since I mentioned something about the Tiananmen Square Massacre on my site but I still get them. I'm getting the email notifications again.

So, If you are running a wordpress site, at least install some sort of 2FA. And get a good password that you aren't using elsewhere. The WordFencefree version helps a lot and I'm considering going to the paid version. I've heard that iThemes Security plugin is good, too, and the paid version is less expensive.

Things are getting worse for security and privacy so watch your stuff.