When installing WordPress is important to change the predefined salts to avoid any weak cryptography that makes your cookies and session management weaker.
The fastest way to fix that: https://api.wordpress.org/secret-key/1.1/salt/

If you want to get more info about possible attacks on unsecure wordpress installation, here a good reading: https://www.securitysift.com/understanding-wordpress-auth-cookies/