A straight WordPress website these days is quite secure. While plugins and themes can introduce security problems, WordPress itself has had few major issues recently, and the newest versions of WordPress aren’t the primary targets of hackers. That’s because there are enough out-dated WordPress sites that finding new vulnerabilities isn’t necessary to hack into plenty of sites.
So you update your WordPress website frequently to make sure you’re running the latest plugins, themes, and WordPress itself and pat yourself on the back because you’re secure. But there’s one thing a lot of people overlook that makes all the updating worthless: older sites on the same server.
So long as you have multiple sites installed on a single hosting plan, only one out-of-date site is required to make all your sites vulnerable. When the old site is hacked and then the newer one gets taken along for the ride, this is called cross-site contamination. You can read a nice technical explanation on Sucuri’s site.
This is quite common—I’ve done it—because of the common practice of creating a beta site (for testing a new website), staging site (for testing changes to the current site), or standalone subsite (for any number of reasons) on the same server. These are all very useful when you need them, but they’re also easy to forget about and overlook when it comes time to update.
So if you have sites like that, either delete them or make sure you update them as frequently as you do your primary site. If you have more than a few sites, consider using a tool such as InfiniteWP to make that easier. Your sites won’t be impenetrable (none are), but they will be much safer.