Due to the XMLRPC DDoS Issues, Wordpress is worse.

While its harder to breach and grab data from, its effortless to trick a wordpress site into DDoS Attacking anyone you want it to without any admin access at all.

Google XMLRPC Reflection/Amplification Attack

That's probably because it's .htaccess isn't set up as securely. Everything can be avoided if the file permissions of the server are a first priority. Then you must worry about the code itself. How easy it is to manipulate. The worst case scenario, someone has your database information so then there's a MYSQL problem for many users. Then you have to basically try to not hack wordpress if the actual site itself can be so hackable. Yeah i see what you're saying. finding reasons to not hack something is more challenging than finding one to hack it. It's for that reason I'd never use wP, ever. Not even as a blog.

I do use a platform for a private blog but it's hardly worth hacking because nobody even knows about it and the page rank is low enough that it doesn't show up in Google. SocialEngine is good for that, and it's actually a security benefit because Google Traffic can break a site if it's not hosted on a powerful server. I'm planning on going custom but I am tempted to get a better background in Linux first. SSL is better than nothing. I know it's off topic but as a Social Engine owner I find the worst security flaw is the ad ons, not so much the core. I've worked with every platform out there, Dolphin, PHPFox, Jooma, Drupal, WP, Oxwall, Ning, Elgg etc. Customization is best with SE and for the look and feel of the overall website, I prefer it for that reason. PHPFox has an excellent settings area and can support almost anything but it's security and stability is an utter joke. Every commercial platform has it's querks, especially when it comes to updating its core packages to the latest versions, it just doesn't happen a lot, if ever. That's why they update if someone hacks a well known site and happens to gain enough attention for it that the developers take notice. Custom servers and applications are ideal, but when you haven't got the money to go custom or the experience to set up such a server configuration, then you do the next best thing. Either pay a develoer, or pirate it. My thoughts on piracy are mixed but my thoughts on developers are straight forward. 8 Times out of 10 they will rip you off for something you could learn yourself and do a better job at maintaining because for all the fancy UI bells and wistles they offer, less than 2% of it works under pressure or high demand, or a mixture of both. Support is a whole other matter entirely, so if it's not something you built, you can't be responsible for it and that's the reason why I'm a fan of custom built websites, like this one. Communication is all that's needed to make great ideas flow and flourish.

SSL does nothing to secure a site from hacks or exploitation, it simply prevents third parties from seeing whats going through the connection.  IT makes 0 difference to things like SQL injections, XSS, DDoS, etc.  All it does is ensure your privacy.

File permissions can be an easy one to goof, but 99% of the problem is either the code itself, the Server Software Stack, or an admin who knows nothing of security doing a poor setup.

Mind you this is not just my opinion as a hobbiest either, im a 26 time certified network engineer, and cyber security specialist.

DDOS is done by people who already know of the site otherwise it is mostly bot based. Server performance has a lot to do with preventing DDOS attacks. The more secure your code is, the better. I'm not a fan of apache mainly for this reason because by default you have index browsing which means it must be disabled first before you can actually start protecting files themselves. Any script can search a site domain for an index vulnerability so things that often deal with database hacks often starts with if they can connect to whatever ports are open for those database servers to accept what appears to be in built server conections. That all leads back to if the files can be hacked, and to do anything like an injection, you have to connect. I tend to think security is broken if someone can easily bypass file server connections. SSl does nothing for this, you're right. I find it a waste of money but for privacy reasons at least something running on a browser client side connection can't hijack what ever the person is viewing. I'm greatful you're an IT professional specialist. PHP code is the most well known hack prone software known on the planet.