You are only focussing on one area of WordPress neglegting all others. Hackers use many many ways to hack a site and get access to such sites, not only through back end login and registering. WordPress by itself is quite secure if you keep up with installing updates as soon as they are released.
Also, keeping your PHP version updated is very crucial. At time of writing, you should not run any version of PHP below PHP 5.5 (Note, 5.5 will be EOL’ed in July 2016 and feature updates was already stopped). You should also make sure that your server is well protected, but this is something you should have checked when you bought your hosting. Low priced hosting is almost always not very secure and uses outdated software and programs.
You should worry about any plugin, theme and custom code used on your site, no matter where you downloaded it or got it from. It is your own responsibility to go through all code and find possible loopholes a hacker can exploit. Unescaped, non sanitized and non validated input coming from form fields and globals such as $_POST
and $_GET
and PHP used in text fields are most often the number one cause of a site being hacked.
A simple jquery script added to a variable in your URL can be used to hack your site if you use that $_GET
variable without escaping, sanitizing and validating it. It is that easy.
Another popular place which is abused by hackers are SQL injection. Improper use of SQL can leave a backdoor open for a hacker. That is why you should always use the prepare()
method in the wpdb
class to run custom SQL.
You have to remember, no code on this entire world are save. Every piece of code is hackable, any site is hackable (which has been proved many times with huge huge sites), and all you can really do is to make it as hard as possible for a hacker to hack your site by keeping everything up to date and not using dodgy code, plugins or themes. Apart from that, there is absolutely nothing you can do to avoid been hacked