Campaign peaked during May and June when attackers targeted recently installed, but not configured, instances of WordPress. Outsiders can use a successful attack to take over the new WordPress website and then potentially gain access to the entire hosting account. WordPress installation remains incomplete until a user creates a configuration file, and those who fail to complete installation leave themselves open to attack. Wordfence said a common action is to install a malicious shell in a hosting account, allowing an attacker to access all files, websites and databases on a WordPress account.”]
Source: https://securityintelligence.com/news/wordpress-sites-at-risk-from-php-code-execution/