There are many ways to host a self-hosted WordPress.org website. The most popular way to host WordPress is by using a managed hosting provider. You are probably already familiar with some of the more popular companies that provide this service.
In general a managed hosting provider will deploy and maintain the hardware, network, operating system and they will manage load on the system. They will also include services like backups and a management interface like CPanel to deploy new websites and maintain your website.
When using a managed hosting service, the hosting provider is responsible for the following items:
Some hosting providers will include additional security features. This often comes with additional cost. These include:
Qualities of a trusted web host might include:
There are many other kinds of hosting available. You can purchase your own dedicated virtual server from a company like Linode. Or you can purchase a more expensive hosting plan that provides you with your own dedicated hardware and some management of the operating system and applications. There are as many hosting options as there are service level agreements.
With each new hosting option, it is important to understand where your responsibility ends and where the hosting provider's responsibility begins. You can find this information in the service level agreement you have with your hosting provider.
A good rule of thumb for most managed hosting providers that provide shared hosting for WordPress is that you are responsible for securing the areas that you have control over and which you can change.
You have control over which web applications you install, the version of each web application and which individual files are on your hosting account. Therefore, you are responsible for securing these applications.
You don't have control over the operating system, the version of PHP installed and the version of the database or web server installed. You don't have administrative access to any of these items. Therefore it is not your responsibility to secure or maintain these items.
You do have control over what is stored in the database by your web applications. Therefore you are responsible if your web application inserts something malicious into the database.
You also have control over your hosting account files. If one of your web applications has a security flaw and an attacker is able to write malware onto your filesystem, it is your responsibility to detect and clean that malware. Your hosting provider may provide assistance with this, but ultimately you are responsible for the security of your files.
Hosting provider infrastructure, operating systems and applications are rarely hacked. In general, hosting providers have dedicated operations personel that are available 24/7 to secure their network and take action where needed. Most compromises occur in individual hosting accounts and are caused by a managed hosting customer who has installed an insecure application or has not updated a web application.