Hundreds of sites use malicious WordPress plugins 3 years after they are discovered