If the core is secure, all you should have to do is keep it updated. The question is why should you have to install one or more of 40+ plugins to keep your site secure?
When people build WP sites they don’t expect nor intend to spend 100s of hours fixing core vulnerabilities. Not to mention the vulnerabilities of the slew of plugins in existense that someone might recommend as a “quick solution” to what would otherwise be a very complex and time involved problem to solve. I don’t really deal with nor support WP myself but this tends to be the mentality I see. Not to mention the majority of audience for WP is web designers that are in over their head and vigilant bloggers. Also, naturally as the number of plugins increases the security of a site decreases unless each time the code is audited for security. It so no secret that WP itself *mostly attracts amatuer programmers or worst designers who know enough to be dangerous.
So when using the system and various plugins that are not especially well known security vulnerabilities and amatuer mistakes/overlooks are something you kind of have come to peace with. For a small business or whatever it really isn’t all that much of a deal if it a site gets hacked or I probably should say the pricing benefit out-weighs any potential of a vulnerability being exposed. That can really be said for most open source CMS systems. Though the cost of using an open source CMS pales in comparison to custom development. When you compare the cost of using an open source CMS that could have potential security vulnerabilities to custom software development the risk of a vulnerability being exposed is accepted over the high cost of custom development.
There is a reason why WP sites are pretty cheap to build because they are easy to get up and running quickly. Though that in no way means they are secure or the person building them would even know the first steps to take to do so. Realistically though the WP core is probably more secure than most custom sites out there considering it has been though years of refinement. The problematic areas are really when it comes to external code being added to the site of an unknown origin that probably has not been audited. The great thing about an open source community is that EVERYONE can contribute code and bad thing about an open source community is that EVERYONE can contribute code. With so people contributing plugins and what not on a popular platform like WP or any other for that matter it is not nearly possible to audit them all. That is really where the majority or security and performance problems lie not in the core platform itself. That goes for WP and any other open source, community driven system out there whether it be Joomla, Drupal, etc.
I will say that probably in 99% of cases unless you are dealing with a very experienced software company with huge budget that a popular open source system CORE platform is more secure than most other things out there. The more popular something is naturally the more refinement and testing it has probably been though resulting in many of the initial vulnerabilities being worked out over time. Though that doesn’t stop an open source contributor from making one or two stupid moves in a module or plugin, contributing the code and bringing down countless sites that might use the code.
few things to remove the virus
update the wordpress theme
your hosting may have the backup so call them and them to put the back up from before 8 days
.htaccess have to be protected. add a code to .htaccess so no one can hack or spam your website
block admin panel of your website using robot.txt as well as use very difficult password for your admin
For the security following these:
*removing the admin username
*update your wp-config.php keys
*manually install Wordpress
*use a better password
I’m using Better WP Security plugin with all of my WordPress installations. It allow me to ban all those ips which are trying to login. And I find that there are hundreds and thousands of tries to login to WordPress. After installing this plugin I can now block these ips automatically and can get automatic DB backups to my Email. 
WordPress can be secured if you adjusted it with the right plugins.
Check the plugins on this link: http://www.hongkiat.com/blog/hardening-wordpress-security/
All the Best!
I hope you were careful enough to make a monthly backup.
It’s the easiest way to “clean” an infected site.
Due to its popularity and relatively weak codebase, Wordpress gets hacked often. A recent study has found that more than 20% of the 50 most popular Wordpress plugins are insecure. And that 7 of the 10 most popular Wordpress ecommerce plugins are insecure.
That’s bad news and confirms how Wordpress got its very poor reputation on security. I also don’t use Wordpress unless the customer insists on it, and then I only provide support if they go on a prepaid (hourly based) support plan.
Why did you switch from your custom CMS to Wordpress?
Wordpress can not be secure if you will not do research on this most common way of hacking wordpress site is to insert files in your uploads folder if your file permission is set to 777 then you will get hack easily and in shared host the chances are very high so take a vps and secure your directory with .htaccess files so that no one can see directory