WordPress is really a nice software. I use it for websites and blogs. The problem is that WordPress is so common used in the net that hackers aggressive try to enter your site and inject eval php code. This is really terrible and I suffered some times ago because such a hackers attach against main own web sites.
After all I think two things can help to lock out hackers from wordpress.
1) Wordfence Plugin
The Wordfence Plugin is – in my eyes – really good software. You should install this plugin to understand if your wordpress is under attack.
2) Protect your directories
The important thing running WordPress is to protect your directories. Never allow the apache server to write into the WordPress instalation directory. I know this is for most people an essential feature because this allows to easily update WordPress, install Plugins and Themes. But this also allows hackers to inject bad php code into your installation. And the most secure way to protect your wordpress installation is to disallow the apache server to write into the installation code.
For Linux servers this means:
In your apache web directory create a folder for your WordPress installation and reduce the directory access to a minimum which means only your own linux user account should be the owner and allowed to change content.
ls -l /var/www/ drwxr-xr-x 5 youraccount youraccount 4096 Apr 16 21:12 wordpress
As you can see the apache user (e.g. www-data) can only read but not change directories. Any changes on the wp-config.php or the installation of plugins or themes can still be made by direct ssh access (in this example) from the user ‘youraccount’.
The only exception could be the wp-content/uploads folder which need to be writable from apache when you try to upload an image.
There are a lot of additional tipps and tricks how to protect your WordPress. But I think protecting the WordPress installation from modification by the apache server is the best way.