WordPress sites are targeted, mainly by spambots (to send you spam via email) or by Brute Force attacks where your login page is continually being targeted by attempts to get to your admin area.
Make sure you and your Users’ passwords are as hard to guess and as long as possible. Uppercase, lowercase, numbers and symbols.
Keep an eye on your Users (Login > Users). Remove accounts that are no longer active.
If your website is found in search engines, then you will be targets by spambots and brute force attacks.