While the website’s login page to the admin panel was secure and not publicly accessible, attackers could still bypass this security measure by connecting to the same network as the website or finding and exploiting a vulnerable WordPress plugin. In a worst-case scenario, they could have installed malicious software, moved laterally throughout the network, and stolen sensitive data.
