A new kind of attack targets fresh WordPress installations. Attack starts with a scan after the "/wp-admin/setup-config.php" URL. This is the setup URL for any freshly installed WordPress. If the attackers find that URL and it contains a setup page, it indicates that someone has recently installed WordPress on the hosting account but has not yet configured it. At this point, it is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account.
Attacker gain control completing the setup process. Easily clicking through the first two steps of the setup configuration and then enter their own database server information in the final step. Their database can be on their own server, and it doesn’t have to contain any data – it can simply be an empty database. Once the attackers have admin access to a WordPress website running on a hosting account, they can execute any PHP code they want in that hosting account.
Once an attacker can execute code on a WordPress hosting account, they can perform a variety of malicious actions. One of the most common actions is to install a malicious shell in a directory in the hosting account. With this, they can access all files and websites on that account. They can also access any databases that any WordPress installation has access to, and may be able to access other application data.