WordPress, out of the box, without additional plugins or configuration is minimally secure. Add themes and plugins then the WordPress website security infection risk level starts going up.
Hackers are constantly probing every web site out there everyday. They look for outdated themes, plugins and servers which contain security vulnerabilities.
Once you are hacked then your web site may go down or worse, sets up the viewer to be infected and or held for ransome.
WordPress – Lock down your WordPress web site with security measures. Install a backup system in the event when a security hole opens up, a administrator / webmaster / user makes “mistake” and or the server is breached.
Hosting Company Server – Shared hosting account server security is managed by the hosting company. Your own offsite backups are important if the hosting company security is breached.
Your WHM/CPanel VPS – Security on your VPS (Virtual Private Server) is your responsibility. Harden your VPS using common industry security standards and practices.