Let’s say that on the day you set up your WordPress site, it was secure. You’d used the latest version of WordPress, along with a new theme you paid for. You also installed several security plugins, and everything was up to date and secure.
Question: Will it stay secure?
You’d think the answer would be yes, but it’s not.
The answer is NO. Here’s why, in the words of a web security expert from Wordfence:
You might build a new website with the latest secure versions of WordPress and all of the relevant plugins and a theme. As time passes, vulnerabilities are discovered in your plugins, theme and the version of WordPress core you are using. Those vulnerabilities (or security holes) become public knowledge at some point.
There is usually a delay between when the vulnerability becomes public knowledge and when you get around to installing a fix. Even when a fix is automatically released by the WordPress security team, the vulnerability may have been public knowledge for some time. This was the case with the recent PHPMailer vulnerability, which took several weeks for a patch to appear in WordPress core and be automatically deployed.
Beware! The scammers and attackers are clever and they are constantly looking for ways to break into websites. The moment they do, all the sites that use the flawed code become TARGETS. Including my sites and yours.
The article goes on to provide a solution. You can read it here: Do You Need a WordPress Security Plugin?