Just out of curiosity but what difference does it make whether or not WordPress (or any other similar content management system such as Joomla or Drupal) is used as the front-end? If the back-end which does the actual processing of payments is coded securely and operates independently of WordPress (which I understand wasn't the case here), does the fact that a site uses WordPress as its CMS still pose a security risk?
Front-end sends commands to the back-end, and exposes back-end info to users, unless you have an air-gap and a human manually verifying everything, once the front-end is compromised, the back-end will fall regardless of its security level.
If the front-end is compromised, the hacker can just f.i. turn a "buy coins" command into a "withdraw coins" command. If the 2FA is handled by the front-end, either directly or because the front-end allows changing or resetting 2FA/email address, then the back-end has no way to know if a command originates from a user or from a hacker that compromised the front-end.
If the administration is part of the front-end (which is common), then gaining control of the front-end means you have admin control of the back-end.