WordPress is loaded with CyberSecurity holes and always has been. That is just the way it is. Those easily manipulated by mob mentality and group think are all vulnerable. - Don't get hacked like a "newb", use a service that give you https protections
FREE. IF YOU PAY for https in a typical mysite.theirdomain.com relationship then YOU ARE BEING RIPPED OFF! There is ZERO way to rationalize otherwise. Unless you are the type of person that is not taken seriously and you are somehow okay with that.