Unfortunately this is what happens when, software like WP etc., make it child's play to commence a website. With no web dev knowledge, 99.999% of these people, also have ZERO experience in website security. It's why so many WP sites are hacked.
Even just adding a htaccess file to wp-admin, with a: deny from all, allow from ONLY your ISP IP, will make it so much harder.
Having your config file stored outside your root, another easy way to keep your WP heaps safer.
Using less plugins = less vulnerabilities... And, most importantly, updating the core with new releases, including themes and plugins.
Problem is non techie people, who are not developers, who are generally clueless to web-site security, be this WP or other, will continue to give these hackers simple access to their site, because, of all the above.
FYI...WP itself doesn't help either... Granting access to ALL database privileges , when only 10 are required.
A simple injection coding, and another WP is taken by a hacker.
---
Compliance: a code word for control
---
Do the right thing, even when no one is looking. It's called integrity.
---