Yes, this might be the least sexy tip in the history of WordPress. But it’s also one of the most important things you can do to ensure the safety and functionality of your site.
In Sucuri’s Q1 2016 analysis, 56% of hacked WordPress sites (that Sucuri looked at) were running out of date WordPress software. There’s a reason for that correlation – while WordPress is pretty dang secure, there are occasionally vulnerabilities. Those vulnerabilities are fixed as soon as they’re found. But only if you update.
For example, a recent REST API vulnerability affected hundreds of thousands of WordPress sites. But all of those sites could have been spared if they’d immediately updated to WordPress 4.7.2 when it was released.
And it’s not just the WordPress software that needs to be updated, you also need to stay on top of plugin and theme updates. Just three outdated plugins accounted for 25% of the hacked WordPress sites in Sucuri’s analysis. Again, the plugins had actually already patched the security problems. Users just didn’t update.