There has been the highest number of direct crypto currency hijack attacks against WordPress. It uses WordPress sites CPU's to process millions of currency transactions without having to pay for the servers.
This malware was not a rootkit – it runs as a regular user account, thankfully. It still tries to be as stealthy as possible. When it starts, it spawns a copy of itself but with a different name, probably chosen at random from files around the server. For persistence, the malware installed itself as a cron job to run every second:
* * * * * /var/www/vhosts/[redacted].com/wp-content/plugins/bash > /dev/null 2>&1 &
Please consider adding a feature that will block these malware injections.
Nore information about malware: