Wordpress is moderately secure, but I just had two of my WP blogs hacked last week and had to rebuild. In the process I learned some helpful hints. Some of these hints are general for all sites, some specific to WP.

1. Always upgrade to the most current stable version of WP. Older versions may have known exploits.
2. There are several things you can do manually to secure your WP site, but instead use one or more of the established security plugins. Right now I am using both PBS (Bullet Proof Security) and WPD (Website Defender). Follow the guidance from these plugins; take some time to learn them well.
3. Run Akismet (or similar) to minimize rogue spam posts.
4. Turn off remote posting (ATOM and XML-RPC) unless you require it for your business model.
5. Harden your admin PW (and don't call your admin account ADMIN).
6. Don't install lots of experimental plugins onto your site to try them out. Create a sandbox site for this. Keep the installed plugins on your live site to a minimum.

Hope this helps.

Wordpress is a relatively secure product. However as with anything nothing is 100% fool-proof. Unfortunately with widely-used products such as Wordpress once an exploit is found it is widely available on 0-day exploit sites and a lot of hackers will trawl the web to take advantage of this exploit.

However staff at Wordpress are very quick to patch these errors which is a plus. Also the installation of plugins coded by the non Wordpress team can be open to exploits and is the most common way a hacker finds his way in. If there is an issue an SSL certificate will not stop the site being hacked. Will just mean that an form data will be passed between locations with better encryption. I hope this helps.