By WordPress, I mean everything written for WP, not just the core software. Honestly, with a little configuration with security in mind, WP Core is rather solid (security-wise). However I have a client that wanted a specific "Feature" on their website, they found and installed a seemingly good plugin to add the desired functionality. Only 3 days later their website had been compromised. We started fresh, and installed everything again, double checking all the configurations. In just a day, it had been attacked and compromised again. How is this possible?
First "Do Not Create Your Own Password Storage & Verification" (unless you 'Know' what you are doing) instead of using an already established and proven library or algorithm and 'scheme'. But let's say you are using PBKDF2-sha256 which is very good, but like me you don't like how it stores the Salt in the database along with the hash and iterations. Well, on a project where I beefed up password security, on a 10+ year old website; the client's on staff developer came up with what I consider, one of the best Salt storage ideas. Then it was my job to make it real, and make is fast enough for production use. (I am not covering basic password security concepts here, just a slight modification, to increase complexity of obtaining all the data to compromise a users password)