According to Wordfence, the campaign website for the re-election of Donald Trump was hacked. (The site has since been restored, with some notable missing pages.)
Wordfence provides a security service for WordPress websites. The Trump campaign website uses an alternate content management system, Expression Engine. The Wordfence folks thought it would be interesting to analyze the hack and defacement to see what could be learned without access to forensic information.
The Wordfence analysts concluded that the most likely way the hackers gained access to the campaign website was through compromised credentials — they guessed the password for an administrative account:
The Internet Archive indicates that the last time the admin page was accessible in the default location was in June of 2015. Even in this hidden location, if an attacker was able to access the administrative panel they would have been able to alter any content on the site, though they would not have had access to any sensitive information.
(Cloudflare is a load balancing service.)
The moral: use strong passwords and implement two-factor authentication.