It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.
That pretty much sums everything up but I highly encourage you to read the entire post as Jason Cosper brings up a number of good points that illustrate just how secure the core of WordPress is. Outside of the big brute force attacks on WordPress sites which really had nothing to do with the security of WordPress, I can’t remember the last time I updated due to a critical security vulnerability in the core. There are so many variables that are sometimes out of the control of the end-user. Unfortunately, all too often, webhosts put the blame on software such as WordPress when the real issue is their server setup.
Check out this comment from Mark Jaquith in 2011, in response to someone claiming that running WordPress was akin to running Windows 95 without patches, as comical as that sounds.
I maintain that shared hosting, by and large, is a disaster waiting to happen. And the funny thing is, you can get a solid VPS on the cheap now. The host I recently switched to, Digital Ocean, has a plan that only costs $5/month. Five dollars a month will get you a box, a virtual machine that’s properly walled off from other customers, with 512MB of memory, 20GB of space on an SSD and a higher monthly data transfer quota than the vast majority of sites would use in a year. RamNode has similarly attractive pricing.
All it takes is a tiny amount of Linux knowledge and you can install an nginx+php+mysql stack and be up and running in a couple hours.
There’s really no reason for someone to subject themselves to the horrors of shared hosting.