Common reasons why CMS based websites get hacked

1. Predictable login and database credentials.
Login and database credentials that are very common like 'user: admin' and 'pass: admin123' or 'user: yourdomain_db' and 'pass: yourdomain_db123' are destined to get hacked. Common brute force tools will default to generate the ‘admin’ credentials on CMS administation panel. Make sure you think of a unique username and password to minimize the chances of getting your site compromised.

2. No 2nd layer of protection for Administration Panel
Hackers nowadays uses some advanced type of scripts to exploit administration panels, causing them to gain access with a little efforts being exerted. To counter this, you must have a 2nd layer of protection also known as 'Password Protect Directory' on your 'administration' folder / panel, which helps to prevent hackers from getting in.

3. Predictable table prefixes
Throughout any CMS installation process such as WordPress, you are asked to specify a table-prefix, 'wp_' being the default. Hackers do always take advantage of this mistake and will use an SQL injection attack to exploit your website's database.

4. Outdated, unsecured CMS files
Outdated, nulled and vulnerable themes, plugins and files are other reasons that cause CMS based websites getting compromised. Nulled files usually have malwares and backdoors while outdated files, themes and plugins may have loopholes that would cause breach of security. Make sure the files that you are getting are legit and updated.

5. File permissions are set incorrectly
While this might be handy, it’s probably not a wise idea to leave them writable in the case of an attacker gaining access to your site.
Make sure you refer to your CMS file's default permissions to avoid your configuration files getting read / executed by the hacker. Common default permissions:
A.) Folder = 755
B.) Files / Image / = 644
C.) Configuration Files = 400 / 644

6. Infected Computer
You might be confident that your computer isn’t infected, however, the amount of users that have had their FileZilla plain-text-stored passwords stolen is alarming. Once these critical passwords are leaked, it won’t be long until an attacker connects to your account’s FTP and kicks up the dirt. Always scan and check your computer's against trojans and malwares to ensure this doesn’t happen.