About 60% of WordPress tampering damage is caused by vulnerabilities in the old WordPress itself and plugins. Some of these are 0-day attacks. This is explained here.
What is a program vulnerability?
WordPress is made up of thousands of PHP programs, including plug-ins. Many of these programs process data sent from external sources.
If there is a flaw in the way this data is processed, it is possible, for example, for an external party to send malicious data to the server, write arbitrary files to the server, or edit files.
A bug (or gap) in a program that allows unauthorized processing unintended by the creator is called a vulnerability.
Reference
What is a WordPress program vulnerability?
What is a 0Day attack?
A 0-Day attack is an attack that occurs when no updates are available to close the vulnerability.
The vulnerability itself may not be known.
The vulnerability itself may not be known.
Unfortunately, there is no way to prevent a 0Day attack when no means is provided to close the vulnerability and the vulnerability is not known.
However, since such vulnerabilities are known only to the person who discovered them or to a very small group of people at the time, the probability of being exposed to such an attack is very small.
The danger is to continue to use plug-ins that have known vulnerabilities but for which no security patches are available.
The danger of a 0Day attack is when a vulnerability is known, but no updates have been provided to cover it.
WordPress plug-ins may be left unattended even after vulnerabilities are found, as their creators may have stopped developing them.
In this case, the official WordPress site will stop distributing the plugin or take steps to prevent it from being found by search engines, but the vulnerability will remain in the plugin for sites that are already using it.
Check for vulnerabilities and stop using plug-ins for which no updates have been provided.
If a vulnerability is found, check the plugin’s administration page to see if an update is available for that plugin.
To check for vulnerabilities
You can also search for plug-ins and other plug-ins on WPSCAN.
You can also use the [Free] WordPress:Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal] to check for vulnerabilities.
If a vulnerable plugin has been inactive for an extended period of time, we recommend that you deactivate and remove the plugin. (For a more advanced solution, you can add a program to close only the vulnerability based on the information of the regretted vulnerability.)