There's a corresponding plague of WordPress malware. It's my belief that people have industrialized password guessing and vulnerability exploration. There's a dazzling variety of webshells, and kinked WordPress plugins etc that get installed. I believe access to these is often sold or rented. Infosec people are so oriented towards Windows, they overlook this whole ecosystem.
