This is a big problem, if customer using very weak password’s with default username’s like admin/administrator and etc. Even if you don’t use default username you can get it very easily.
Get WordPress username
https://wordpress.site/?author=1
This redirects your correct username author page and you can get easily correct username which is probably admin user.
If wordpress admin password is leaked or too easy guess (ex. Brute force), this allow attacker modify any file in server and put malware content in php files.
Disable Theme and Plugin editing
By default installation WordPress allows users to edit the theme and plugin codes through the WordPress admin panel. While it is a handy feature, it can be very dangerous as well. Default admin user don’t need edit CSS, PHP etc other files daily. To prevent attacker modifying files, it is best to disable the theme and plugin editors from the WordPress admin panel.
All you have to do is open your wp-config.php file and paste the following code:
define( 'DISALLOW_FILE_EDIT', true );
Final words
Read more about Malware Expert – ModSecurity rules and protect your web server vulnerabilities with Web Application Firewall. Also you can use free RBL Database, prevent DDOS attacks to WordPress, joomla and other CMS systems.