EFF technologist (and creator/maintainer of cool privacy tools), Yan Zhu noticed
that WordPress still
does not secure their session cookie, meaning users at the local Starbucks can have their accounts hijacked.
I first popularized this problem in 2007 at BlackHat with my Hamster/Ferret tools, hijacking an audience member's GMail account (I probably shouldn't have done that -- but the demo was otherwise not working). Eric Butler then released a much easier tool called Firesheep which really got the ball rolling: my tool was for hackers, but Firesheep made it so anybody could exploit the bug.
Google quickly fixed their servers over the next two years. Yes, relative to everyone else, this was "quick" -- it took everyone else much longer. Today, it's considered standard that when you log into a website, the entire session must be encrypted with HTTPS.
But not so WordPress -- apparently they haven't even started working on solving the problem. It's been 7 years since this has been in the news, and they still haven't thought of dealing with it.
But, this isn't even the worst problem. On WordPress.com, their login screen is served via HTTP. Cookie hijacking only gives the hacker the current session, but not your password or ability to make major changes. Unencrypted login forms allow a local hacker (sitting next to you at Starbucks) to steal your password as you login. Since you are probably a dufus and use the same/related password for all your other accounts, this means the hacker can steal everything.
As it turns out, this may not even be the worst problem. The standard WordPress configuration is built on the LAMP (Linux-Apache-MySQL-PHP) system, which has been obsolete for more than a decade. The problem with LAMP is that it doesn't scale.
The result is that once you start writing a lot of blogposts on your WordPress blogs, SEO bots (search engine optimization robots) will start spidering your blog, downloading a copy of all the posts and comments. This frequently overloads your server, taking down your blog. People just learn to live with it, with friends occasionally complaining that they can't get to the blog.
I know several people who've had this problem, and have partially solved the problem with CloudFlare. This gets rid of most, though still not all, scalability issues.
The upshot is this: WordPress is fundamentally broken in every way something can be broken. There's no way to secure it. There's no way to make it fast enough without spending a lot of money. If you are starting a new project, do not under any circumstances use WordPress. If you are stuck with WordPress, well, then, it sucks to be you, I know of no way to help you.