A big question around WordPress is why do the websites get compromised externally? The WordPress itself is very strong and safe; but what makes it weak?
It may be primarily the contributed plugins that are not upto the good security standards! It is likely that a plugin is weak, but popular and used over websites.
Always use trusted plugins only.
And if you are using weaker plugin, regulate the usage by your users.