"It is almost impossible for developers to keep up with vulnerabilities," he says. "They are trying to run their site, and trying to keep track of all the patches and applying them is difficult."
Web-security services like Sucuri, Cloudflare and Incapsula can buy administrators more time to patch their sites, by blocking known attacks.
2. Don't forget your plugins and themes
While keeping the main content management system up-to-date is challenging, patching every plugin can be a more onerous burden, as attackers have increasingly targeted vulnerabilities in plugins and themes to compromise Web sites.
"In general, attackers are trying to own as many WordPress sites as possible using as many zero days or recently-disclosed vulnerabilities, and then using that site for other attacks," says Wordfence's Maunder.
A variety of Wordpress plugins provide security. Wordfence, BulletProof Security and iThemes Security perform a variety of security-related tasks, from scanning Web sites for compromises to setting the security controls of a WordPress site to harden the software against the most common attacks.
3. Regularly maintain your Web site
Having a hosted Web site is a responsibility and requires frequent maintenance. Administrators should back up the site, and make sure the backup is copied off the Web server--many inexperienced administrators overlook that step, says Maunder.
If you don't have time to do this, go with a fully managed site. Wordpress.com has a wide variety of templates and more flexibility than ever before. For other content management systems, such as Joomla and Drupal, a hosted service provider can manage the CMS on that server and help keep your Web site patched.
Sign up for CIO Asia eNewsletters.