All websites on the internet are vulnerable to hacking attempts. The reason why WordPress sites are a common target is because WordPress is world's most popular website builder. It powers over 41% of all websites meaning hundreds of millions of websites across the globe.
In general plugins have problems and create security gups.
Always to usea security plugin, for me WordFence is the best.