I'm gunna suggest compromised hosting. The issues I've seen (once plugins / core / php is up to date and obvious stuff sorted) has been almost entirely on shared hosts.
Php is a beast of an attack surface. On every php install I try to do as much hardening as I can, especially with `disable_functions`, since you can make it much harder for someone to get a useful reverse shell, or other nasty things, like the built in `shell_exec` function.
I'm betting most WordPress shared hosting doesn't do that, nor give people the means to set up a web app firewall in front of it. Without these things I'd never want to expose a WordPress install to the internet :)
https://www.madirish.net/?article=229
I'm betting most WordPress shared hosting doesn't do that, nor give people the means to set up a web app firewall in front of it. Without these things I'd never want to expose a WordPress install to the internet :)