"WordPress is fairly secure as long as you don't use any extensions and don't let arbitrary users sign up" is technically true, but it's no surprise that a lot of WordPress use cases collide with these two things.
For example, a WooCommerce site is both more sensitive than a blog and more likely to have sign-ups open and functionally necessary additional plugins running.
For better and for worse, WordPress is the ecosystem, not just the software itself.
For example, a WooCommerce site is both more sensitive than a blog and more likely to have sign-ups open and functionally necessary additional plugins running.
For better and for worse, WordPress is the ecosystem, not just the software itself.