It can be implemented on the site, for example, when updating a resource.
Brute-force is the use of programs that automatically sort through passwords, selecting the right one.
Phishing. It is usually designed to steal user data — for example, payment data. But phishing can also be used to find out access to the admin panel of the site or FTP server.
Hacking via phpMyAdmin. The latter is an open source application for MySQL administration. In simple terms, this is a visual interface for working with a database. Because it is usually outdated, there may be a lot of bugs in it.
Shared hosting — i.e. when the provider uses only one server and hosts all projects on it. Usually this accommodation option is chosen to save money. But such savings can be quite expensive if an attacker finds gaps in the protection of other sites hosted on the same server. Through them, he can access your access rights.
The use of programs that mimic the interface of the site.
The webmaster thinks that he is entering accesses into a real browser — but in fact passes them to attackers.
Leaving links and files by hackers posing as users. This is especially true for forums or sites where you can leave comments and reviews. A malicious link can be thrown on the site, even if it is possible to upload an avatar on it.