Because it is so popular and easy to use attacking WordPress sites is favoured by hackers who want to break into a site and realise that the WP newcomer may not know how easy it is to compromise the site's security or may even think that their site won't be worth hacking.
Lesson 1: Your site is worth hacking, if only to add to a series of sites harnessed to be netbots carrying out other actvities such as Distributed Denial of Service (DDOS) attacks on corporate websites or a host for their phishing activities. That will get you listed by Google as an insecure site.
What will that do to your visitor figures?
Lesson 2: DO NOT ACCEPT THE DEFAULT ADMINISTRATOR USERNAME "ADMIN" when installing a new site or you have instantly reduced your security level by 50%. Your hacker now only has to guess your password. Give your username some thought. If you are Smiths Joiners don't choose 'smith'or 'joiner' as your username. WordPress will also tell you how secure your password is. Heed their advice.
Lesson 3: Add a suitable security plugin to your site. I favour Wordfence. It offers IP blocking at the individual level, advance blocking of a number of IPs and, if you buy the premium version, countrywide IP blocking.
If your site has already been hacked give me a call and I might be able to help you.