very vanilla wordpress, it was a basic blog site. I think the only plugins I used were google analytics and some basic theme. I would keep it updated whenever I remember but maybe it wasn't often enough. Not exactly sure what the vector was and from whatever quality of analysis I did, the system didn't appear damaged beyond the changes made to the wordpress folder and luckily, the damage didn't seem to escape the www-data user that the http server ran as.
I'm gunna suggest compromised hosting. The issues I've seen (once plugins / core / php is up to date and obvious stuff sorted) has been almost entirely on shared hosts.
Php is a beast of an attack surface. On every php install I try to do as much hardening as I can, especially with `disable_functions`, since you can make it much harder for someone to get a useful reverse shell, or other nasty things, like the built in `shell_exec` function.
I'm betting most WordPress shared hosting doesn't do that, nor give people the means to set up a web app firewall in front of it. Without these things I'd never want to expose a WordPress install to the internet :)
"Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks."
