Quote kinsta.com
Who is most likely to be targeted in a WordPress hack?
1 Plug-ins
2 brute force attacks (break through logins and seize admin rights)
3 Vulnerabilities in WordPress itself
4 Theme vulnerabilities
5 Hosting server vulnerabilities
The following is a list of the most common vulnerabilities. In this list,
2 is 100% preventable if the password includes the upper and lower case letters, symbols, and numbers that WordPress automatically generates.
3 can be prevented if automatic WordPress updates are enabled, as WordPress will close small vulnerabilities on its own.
4: Adapt the latest version of the official theme. If the theme is a Japanese theme or an original theme, it is less likely to be hacked because it is less popular in the world.
5 is not preventable with WordPress, and although it depends on the server security of each server hosting company, many shared servers have measures in place to prevent hacking, so it will not be so easy to break through.
Attacks on plugin programs
Why are plugin vulnerabilities so easy to target?
Many WordPress plug-ins are completely free and distributed under the GPL, a license that allows anyone to customize them.
Plug-ins are required to be written in a readable program when they are released to the official directory, and vulnerability checks are performed only on a simplified basis and reflected directly in the official directory.
Some developers do not put as much emphasis on vulnerabilities, etc., or have limited knowledge of hackers’ attack methods.
Existence of vulnerability attack tools
In the hacker world, there are tools available that can automatically attack dozens of WordPress plugin vulnerabilities.
Because these tools are easy to use, even less skilled hackers can take over WordPress, and there are many hackers who are doing WordPress hacking for the sake of mischief.
How to prevent WordPress tampering or hijacking from plugin vulnerabilities?
1 Vulnerability Testing
You can perform vulnerability scanning with our plug-ins
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
2 Update Plug-ins
If possible, updating your WordPress plugins every three months or so will prevent most vulnerability attacks on your plugins by hackers.
3 Use as few plugins as possible and remove unused plugins
The fewer plug-ins you have, the less likely it is that a vulnerability will be targeted by hackers. It is also important to ensure that unused plug-ins are removed.
Even if a plugin is inactive, about half of all plugin vulnerabilities can be used as an entry point for tampering from the outside, regardless.