Securing your web applications involves using SSL to secure browser communication as well as keeping your apps' code protected from attackers exploiting vulnerabilities.
All apps should be secured with SSL. ServerPilot's AutoSSL feature automates free SSL certificates. Once you've enabled SSL so your apps and all of their domains are accessible over HTTPS, you can use ServerPilot to redirect all non-HTTPS (insecure) requests to the same URLs over HTTPS.
Any code can have vulnerabilities. Because apps such as WordPress, Laravel, Magento, and Drupal are web applications written in PHP, they can have vulnerabilities.
Most important for your apps' security is making sure the code is well-written by developers who understand security and that you update your applications whenever the developers make security updates available.
WordPress is the most popular web application in the world. It also has a huge number of available plugins and themes written by developers who do not understand web application security.