WordPress.org software has, like all cloud functions, a number of security vulnerabilities. One recent discovery by Admin, is that Google, and other searchbots search and index the internal directories of websites, not just things like “posts”. That means that hackers can “see” our WordPress.org underlying directories, and then find vulnerabilities to exploit.
One particular vulnerability of WordPress.org software is that third party plugins tend to have more vulnerabilities to exploit, and this recently occurred with PSA site. A hacker found a vulnerability in one of our plugins, and used that to upload their own malware plugin “MyCurator” to our site. Admin suspects the plugin exploited was UTMCE Pro, but that’s speculative at this point.
Eventually, plugins get updated, and most such vulnerabilities get “fixed”. Here’s a wordpress.org video on two different “hardening” steps to take, to make the above vulnerabilities much much harder, if not impossible, to exploit.