I happened to be tinkering on my website, so I saw it get compromised in relatively real time. Thankfully the nature of the compromise was such that it 1) didn’t pwn the whole server, and 2) didn’t plant hooks in the database, or attempt to mine it for (non existant) commercial info.
I keep my site up-to-date, have a standard setup, minimal plugins, a good WP security plugin, yet that wasn’t enough. Lucky I didn’t care if I rolled back to yesterday’s backup – no new data lost.
Lesson learned. Despite WordFence and Jetpack it was brute forced through xmlrpc – which is now locked down to an allow list. While I’ve kept the source of the compromise code, I doubt I’ll bother looking at it.
20210329: another couple of things I’ve done is 1) disable xmlrpc.php entirely, and 2) chmod -R 550 /var/www/
Both are easy enough to roll back (e.g. for updates) and help site security.