It is generally right to say that you must know "how to protect". Those. in the first approximation, it should represent what measures should be taken so that the AIS is not hacked from the outside, and from the inside.
For each AIS, these measures will be different, but general methods (such as storing confidential information in the same hands, encryption, etc.) should be the same everywhere.
Hacking any Wordpress is certainly good, but a little different. You must imagine how an attacker can gain access to confidential information and system functionality, you should not do it yourself. Of course, for training, to feel - it will do, but it takes too much time for this. You need to at least study the source code, imagine what and how, in short, be a full-fledged web programmer.
Those. like this, come to the company and say, guys, your system is full of holes, you won’t succeed. You will have to probe this system from the inside, or only by typing a black box to find out what works and what does not.
A little chaotic. But if in a word:
you must imagine what organizational measures to take to protect IP. Because, without taking them, with any little bit unknown vulnerability, you will still get into a mess.

It seems to me that for self-development, you need to read a little theory, and then go hack sites. You can have your own - put WordPress on your hosting, break it yourself, close the hole yourself, and so on.
Offer Popov's students to hack their site for free.