You might think that websites get hacked through the WordPress login and some do, but a much bigger problem is themes and plugins. We don’t know what code is in a plugin or theme, or what it is doing and we assume that everything is OK. It may not be.
Here is an interesting story from Wordfence that discovered some strange code in a theme and plugin from Pipdig. It had code that enabled admin backdoors into your site, had the power to delete your site, and could have been used to attack competitor’s sites.
There is no evidence any of this was actually happening to anyone, but why would they put in the code to do this?