However, as with other somewhat open source systems, WordPress is unable to keep up with cleansing any potential security flaws found in the increasing amount of plugins and templates released on what seems to be an unrelenting scale. Due to this, webmasters then have a responsibility to check and test any templates and add-ons which have not been checked by the WordPress development team, unfortunately, this is something seldom done due to either time restraints or lack of experience.
Like many content management systems, one of the largest issues leading to compromised systems are outdated versions of the WordPress core or a general lack of security patches released by the development team. Unfortunately, there are some core security flaws that simply require a re-doing of major files, which leads teams to release newer "versions" of WordPress which do not contain these loopholes through which hackers typically either steal user information or simply deface template files leading to visible damage. The problem arises when webmasters ignore the notification sent by WordPress to download; install and update their core files and hence leaves them open to any security flaws now publically highlighted. In late 2012, Reuters, who run their website using WordPress was hacked and as they hadn't upgraded their system from 3.3.3 to 3.4.1 hackers were able to use a simple hack to gain access and deface the website.
As previously mentioned, there is a wide variety of add-ons and plugins available for WordPress users to download and install on their system - there is over 20,000 plugins to be a little more precise. Most of these plugins are developed my WordPress users with varying experience when it comes to programming and hence some are a little more secure than others, there isn't any real consistency between plugins which can pose a threat to out-of-date systems.
There are some plugins which have not been updated in over 6 months which simply open a whole can of worms for inexperienced webmasters if a veteran hacker is resourceful enough to research any security flaws in the plugin itself. You must remember that simply because the plugin is 'separate' from the core files, does not mean the secure part of the installation is secure, most plugins communicate using the core files and hence they are at risk.
To conclude, the most common vulnerabilities which lead to successful hacking attempts on WordPress installations include; out-of-date software, lacking system administration, holes in the server which the WordPress installation is on and lack of web knowledge by the webmaster. In any case, there is a variety of methods and even add-ons available which can help secure WordPress installations with very little pre-knowledge of the programming language they are written in. WordPress can only secure their product to a certain degree; the rest is down to whoever installs it on their server.