"WordPress sites primarily attacked via credential stuffing"

Furthermore, it appears that a large number of WordPress sites are no longer actively managed, so 210,000 websites that became infected in early 2022 still were at the end of last year. Credential stuffing was the most common method of attack against WordPress sites last year, according to security firm Wordfence based on its own figures (pdf). These are paid legitimate plug-ins that are downloaded by attackers, equipped with malware and then offered for free download on a variety of forums and websites.