I've had two WordPress blogs hacked into previously. That was in a time when I was doing virtually no internet advertising, and until I found time to handle the situation (weeks later), these sites were penalized in the main search engines. They were not eliminated the ratings were reduced.
By default, the newest version of WordPress is pretty darn secure. The development team of WordPress has considered anything that might have been added to any clean hacked wordpress site plugins. In the past , WordPress did have holes but most of them are filled up.
I might find it a little more difficult to crack your password, if you're among the ones that are proactive. But if you're one of the ones that are reactive, I might get you.
There is a section of config-sample.php that's headed"Authentication Unique Keys." There are. A hyperlink is within that read the article part of code. You want to enter that link into your browser, copy the contents that you return, and then replace the keys you have with the unique, pseudo-random keys provided by the website. This makes it harder for attackers to automatically generate a"logged-in" cookie for your site.
Now it's time to register for a new Facebook accounts and use identity to pose as your friend and this person's name. Once I get it all set up, I'll be telling you posing as your friend and asking you to be friends with me on Facebook (or Twitter, or whichever societal site).
Don't use wp_. That default is being eliminated by web hosting providers but if yours doesn't, fix wp_ to anything but that.