A recent post on the Wordfence blog discusses a major set of attacks against WordPress sites, title WP-VCD. Most of my readers will not be interested in the technical details (which are, in fact, very interesting!), but the basic actions to keep your site secure listed near the end are worth your time.
If you do take time to read the earlier material, you will improve your understanding of why these steps are important. In summary, the attacks in question are carried out through nulled and pirated plug-ins. The simple answer is to be extremely careful where you get software. In the search for lower cost, you can end up paying a very high price indeed.
This will explain why I require any sites on my Energion Publications server to be updated regularly, and in fact will update these sites myself as necessary. Since these sites are all for my IT clients or for authors for Energion Publications, this is something I can enforce, and I do.
If you are hosting your WordPress site in any unmanaged environment, be paranoid. Many of my clients know my unofficial motto: Paranoia has served me well!