Based on an article 'The Bloody Battle of Website Defacement: “ISIS” Hackers vs. WordPress' by Nimrod Luria, Co-founder & CTO of Sentri.
In 2014 a bug in MailPoet, a WordPress mail plugin, resulted in 50,000 sites being hacked by injecting a PHP backdoor. SoakSoak, one of the most publicized WordPress attacks in 2014, took advantage of a bug in a popular slider plugin and as a result over 100,000 sites were hacked. More recently, Slimstat, an analytics plugin, was found to be vulnerable to attacks exposing over 1M WordPress websites.
1.) Continuously check for the appearance of unknown files and directories and monitor them for changes.
2.) Applying updates on time.
3.) Read-only Web Server Account
4.) Color Persistence Monitoring
5.) DOM Inspection
6.) Digital Signing
All these are available from Advanced Web Application security solutions.