WordPress sites are targeted because there are millions of them. There are many things you can do to make your WP site more secure. Primarily look at the plugins you use, make sure to only use plugins available from WP and make sure they are kept up to date. Remove (unistall/delete) any plugins you do not need. Plugins are almost always the cause of malware issues. Themes from sites other than WP may or may not be secure and kept up to date.

Now, if you are familiar with html and css and able to build your own html site, then, yes the static pages are less vulnerable. BUT if you rely on external scripts you are not much better off.

Edited to add - there are more suggestions in a discussion on this topic here: [webmasterworld.com...]

There is obviously a vulnerability on your WP install. It is probably a plugin, but maybe the theme. Do a scan with WPScans.com or some other. There are a couple. Look at your raw access log to see how they got in.

I think the only functionality I need is the ability for user to click on links to other web pages, and a link to activate a phone call when viewed on a smartphone.

Then why on earth are the sites on WordPress (or any CMS) in the first place? The teeny-tiny savings to the site administrators in not having to master a few words of HTML are vastly outweighed by the extra burden on both the server and the user’s browser--and, as you’ve found, by security vulnerabilities.

Neither of the named “functionalities” is, well, a functionality. They’re standard HTML that could have been coded in 1992. (OK, maybe not the phone, since smartphones didn’t exist then.) In fact both use the same HTML markup; it's not even a different word like “mailto”.

Cursory research says that the iPhone recognizes phone numbers without any further instructions, though I don't suppose this feature in and of itself is worth paying seven times as much.

@lucy24
The reason I have used Wordpress to design so many sites, is because I have needed the functionality in the past.
I have built sites for customers who have no HTML ability, and the CMS has helped them create their own content once I handed the sites over to them.
I have also worked on some more complex 'big website' projects using WP, that are still ongoing.
I have needed to build smaller sites for myself, promoting my own services, and the Menus, Widgets, Contact forms, Search bars, Blogging platforms, and other database driven functions have come in handy.

I currently find myself in a situation where I need to build some basic websites for sales, and I habitually built them in WP because that's what I'm used to doing now. I haven't built a pure HTML site in some time, and I'm not sure whether doing so would give me enough functionality... though it seems you have started to highlight some functionality that pure HTML provides - pls feel free to continue.

Perhaps someone should start an off-shoot thread called "What you can do with just HTML", or "When you don't need Wordpress".

@TorontoBoy, thanks for replying.
I installed WP using 'Quickinstall' in the Hostgator CPanel.

I use the Genesis Framework for all my WP sites. I posted on their forum and users suggested it was a plugin.

The plugins on my infected sites include: "Genesis Simple Hooks", "Duplicator," "Easy Updates Manager", "Always Edit in HTML" and "Coming Soon by SeedProd".

WPScans just kept scanning and never produced a result. I will try it again later.

Q. What "raw access logs" are you using?

Thanks @not2easy, I never experienced malware hacks until now. I guess I just got lucky.

I have since stripped out all plugins (except a couple of essential ones), and the remaining plugins and themes are all up-to-date. The infestation just renewed itself, like bacteria.

Re "external scripts" please can you elaborate, are you referring to Javascript?

Q. What "raw access logs" are you using?

There’s no “What” about it. The significance of raw access logs is that they are just as the server generated them--not processed through some third-party utility or analytics. Logs are plain-text files that can be opened in any text editor.

Logs may or may not point out the wrongdoers’ entry point, but they are certainly a good start. When you find a request like
GET /wp-admin/plugin-editor.php?file=userpro%2Ffunctions%2F_trial.php&plugin=userpro%2Findex.php
or
GET /administrator/fck/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F

(from an IP other than your own, that is) you know they're up to no good, and you need to look more closely to see if they succeeded.

Edit: I was going to paste-in an even more nefarious-looking log example, but it was SO nefarious, it triggered the present site's 403 response!

Re "external scripts" please can you elaborate, are you referring to Javascript?

I am talking about any scripts used on a static site that are not your own, hosted on your site or supplied via an account. These can be .php, .js or any remotely hosted scripts. I am not talking about using pieces of code such as you use to show AdSense but some of the many "free" scripts offered to add functionality or content or features on static html sites.

By all means you should be viewing your access logs, download them and examine them. These are the records generated by the server that show each file request, from where and what might be causing the malware issue. Once you know how it is caused, you can prevent it.

Google offers some assistance, a link at the bottom of this page: [support.google.com...] tells you how to fix it. If it continues to infect your site you will find your site removed from the index and need to clean it up to apply for a security check to get your site shown again. You don't want to leave it like it is any longer than it takes to fix it.

The reason I have used Wordpress to design so many sites, is because I have needed the functionality in the past.

Sometimes we get stuck in a rut.

Each site (and functionality) should be task one before anything is done. Static HTML (in most cases) will trump all for ease of management and security. Inclusion of SSI (server side includes) makes that even easier. Address "action" with scripting (ls, php, perl, python, etc) as needed.

WP, on the other hand, is a bandit magnet and any serious developer approaches with a ten foot pole fully extended!

@lucy24

The significance of raw access logs is that they...

Thanks for the heads up about these files. I downloaded some last night. I noticed that they only show the logs for the current day. However I have now checked a box in my CP activating the archiving of the logs. Good lesson learned for next time.

@not2easy

These can be .php, .js or any remotely hosted scripts

Just to clarify, so if all my Jquery / Javascript code is included inside my own web page files, perhaps inside a 'js' folder, they are safe... but if I am linking to external sites to access code then this is more risky?

@not2easy
PS: Thanks for the Google support link. It looks like I will need this.
One of my sites is still infected, despite the free version of Wordfence being installed with an active firewall

Thanks @Tangor, I am going to go down the path of simple HTML / CSS sites for this. I don't really know anything about SSI at the mo, though I'll have to work out how to incorporate this into my sites.

I only know HTML and CSS, so... I will have to use existing snippets of Javascript and other codes (like Python etc, which I know nothing about) and add them in the right place... I will need some guidance with this.

As for SEO... I think I will keep a WP site for testing things. For example, I will keep the 'Yoast SEO' plugin installed on a WP site and write in the content to a private WP post, add the keyword etc, and ask Yoast for SEO info. Then, when it's perfected, I'll just paste my content into my HTML site knowing that the Yoast plugin has approved the content.

Not too long ago Yoast tanked a zillion sites ... (sigh)

Just take the time to learn it, know it, then expand it. HTML, CSS, scripting (as needed)

Edit: I was going to paste-in an even more nefarious-looking log example, but it was SO nefarious, it triggered the present site's 403 response!

@Lucy Hahaha Show us the nefarious!

To break into a house you will need to scout the house out, go 'round a couple of times at night, see who is home, try some obvious things, such as is the front door open, are the windows all locked, etc. You look until you can find the easiest way to break it. All these attempts are logged in your raw access log. It often takes hackers a good long while to find a vulnerability and then exploit. If they use a software package there are tell-tale signs of attempts. All their research is logged in the raw access log. If you wish to watch a very slow motion version of your hack, look at your raw access log.

I would not say that those that use WP are stuck in a rut. I, too, will default to WP for most users unless there is a specific reason they need something more that WP cannot do. Besides Drupal I have picked up Grav and other flat file CMSs. I also code raw html and css. Each has its advantages and disadvantages. You choose the tool that is best suited.

In my local Wordpress meetup I talk with musicians and artists, all whom have no interest nor talent for the technical. For them WP is great. After the 5 minute install they are writing content and publishing. Content goes up on the web and they are ecstatic. Google search picks them up quickly. They don't know nor want to learn html, css or anything else. They are happy with WP. Unfortunately they don't know the maintenance issues.

Wordpress is like a self-driving car, where the passenger does not want to learn about the route travelled, what's under the hood nor maintenance. And what's wrong with that? For some people the destination is the destination.

Hahaha Show us the nefarious!

Put it this way: after disencoding all the percents, part of the request was

file_put_contents($_SERVER['DOCUMENT_ROOT']

and then the contents to put. You can see the server's point. The User-Agent also contained a bunch of braces and backslashes, so it is not surprising that it got a 418 from mod_security.

@tangor

Not too long ago Yoast tanked a zillion sites ... (sigh)

Whaaaah?! - Please can you elaborate?

@avery123, see [google.com...] for starters, or type "yoast plugin" in the search box top of this thread...

Yoast issued a version almost a year ago that caused image link errors for some sites. The error was quickly reported and the next update fixed the image issue. Not an ongoing situation.

^^^
While completely true, it is indicative that dependence on third parties (ie, plugins) can have an adverse effect. All one can do is vet the third party gear as best as possible.Else one has to wait for an update ... and lose revenue in the meantime.

You get what you pay for...

Yikes! That was 9000! Shut my gabby mouth!

All users of WordPress should research any plugins they want to add to their site. You can use the wordpress.org site to search for plugins and see when they were last updated, you can see how many installs there are - how many users are using that plugin. You can see how responsive the plugin developer is in addressing questions and support issues for their plugins.

Another place to check any plugin vulnerabilities is at WPScan Vulnerability Database [wpvulndb.com] where they list every plugin vulnerability ever reported and show the plugin version that was affected and when it was first reported.

If you use proprietary plugins that are not available from the wordpress plugins pages, at least you should understand that you are on your own and it is up to you to monitor for vulnerabilities of those plugins.