WordPress is a popular target
WordPress has had a growing problem for years. This problem is called spam, because WordPress is a popular target of spammers and has been for a long time. This in turn is not surprising, because WordPress is now a majority of the websites toEven large portals often use nothing but WordPress in the background. This means that with a security hole or vulnerability, an incredible number of blogs can be attacked. Especially because not everyone installs security updates immediately, there is always the chance that an attacker will catch someone who has not yet closed known holes. Spam in WordPress runs automatically, because nobody sits down and tries to trigger an attack manually with spam comments or similar.
Security vulnerabilities due to themes and plugin
Attackers have their own robots running, which attack WordPress permanently and massively. Direct access to the wp-comments.php, not even a visible form is needed. The XML-RPC is also exploited, attacks have nothing to do with trying around from the past. Attackers know exactly the weaknesses of plugins and themes. Correctly heard, because WordPress itself has only a few security problems, vulnerabilities are often simply caused by plugins. All these automated attacks have been taking on exaggerated forms for years. If you look through your logfiles, you will discover what kind of weak requests are sometimes generated. Every day there are 20 to 100 attacks, also on FastWP. Mind you, although registration is completely prohibited here, otherwise there would still be numerous brute force attacks on the login.
Spam is a major security risk
All this is a potential danger, especially a disadvantage in terms of performance. A large part of the traffic is therefore not people at all. The own server doesn't break down because so many visitors pass by, it breaks down because WordPress is attacked so massively and is under constant attack. A server in a crisis area, which intercepts many bullets, but where it is only a matter of time until a ricochet hits it. Dynamics, spam and hacks - it's easy to take down the performance, no need for a DDoS attack. All this has become more and more massive in the last years, in my opinion, and all too often spam becomes a real security problem, even the main problem, like current safety messages over and over again. Without plugins like Antispam Bee comments within WordPress are no longer imaginable, but even with them, their usefulness is nowadays more than questionable.
Disable comments and login
Wouldn't it make more sense today to rely on a system like Disqus? WordPress comments need a resource-hungry anti-spam solution and even then there is still the danger that malicious code will somehow get into the database through them, as it has happened more than once. WordPress Spam is a real epidemic, the WordPress comments are basically no longer usable. Switching off is the order of the dayonly then the spam will stop to a large extent. The login should also be be protected with a .htpasswdto largely avoid automated Brutce Force attacks. Only then most attacks will stop, although there will still be more than enough, don't be under any illusion. WordPress is a widespread CMS and therefore the most popular target of hackers, spammers and all other kinds of attackers.
Automattic has no interest in safety
By the way, the whole thing is not really fixed and that would not be so easy. Nevertheless, there is the suspicion that Automattic approves of spam, after all the developer behind WordPress also sells Akismeta commercial antispam solution. In addition, Automattic users are constantly trying to learn from WordPress.org toward WordPress.com as it is with Jetpack happens. So if you don't want to be hacked or have spam problems, please go to WordPress.com change. So I get the impression that nothing should be done, because the results of the whole thing are quite positive for Automattic. Sure, a controversial view, but it doesn't seem to be in the company's interest to prevent spam and attacks, where with professional service and support made money after all will.
CMS, not as a community platform
For me it was already clear some years ago that WordPress as it is is not a great thing anymore. So I blocked the XML-RPC completelyprevented comments and trackbacks, secured the login completely via .htpasswd. This way, no more spam gets into my database, most attacks go nowhere and brute force attacks on the login have no chance anymore. By the way, Disqus was always spam-free on my blogs, so I can recommend it as an alternative for comments. But please don't mirror the comments with WordPress, but use Disqus completely without plugin and install it by hand. More can't be said at this point. Only one thing should be clear to you. To allow comments in WordPress means to tolerate a security riksos. The same applies to the login, because attackers are busy there as well. So either develop a solution yourself, or go to an external service for comments and more. WordPress itself is still very suitable as a CMS, but as a community platform it has not been for a long time. According to the latest report of the security company Imperva, the large amount of spam in WordPress is the main cause for the many security problems.