There was a situation where my next-to-zero traffic, decade+ old WordPress 4.9.18 site on PHP 5.7 was badly infected with malware which even created a user in my WordPress site called firstname.lastname@example.org ! It created some 200 spam posts but because its not like a blog, it didn't get exposed to the front-page.
One solution is to convert it to static-only site. So I got this as a workaround from my hosting company's excellent support.
mkdir domain cd domain wget \ --mirror \ --page-requisites \ --html-extension \ --convert-links \ https://domain.com/
Now upload the domain folder's content to your web directory.
Maybe next step in the near future would be use some JAMStack solution like Gatsby or Next.
Happy New Year - next post in 2022.