One of the most common method hackers use to get into your site is a brute-force attack. A brute-force attack essentially means that hackers are setting up bots to slam your login form with a dictionary of common username/password combinations.
This is not a WordPress problem, but a website problem. WordPress has a reputation for being less secure, but in reality a lot of this is because WordPress is ~16% of the web. Meaning all of the sites out there with username “admin” and password “bieberfever” aren’t going to make it long before they get broken into. And, depending on your host, once a site is broken into it’s not long before others on the same server get broken into as well. The web can be a scary place.