Hacked three times

While I don’t know for sure that security issues with Contact Form 7 are the cause of my server virus problems, I strongly suspect it. My site has been hacked three times with PHP viruses that typically enter through user input forms. In all three cases they ended up with root access to my server. Twice they were sending spam emails, and the third time I think some Chinese people were using my server for bitcoin mining. It’s hard to know for sure how they hacked my site but I have a static site, basically a fancy business card. The only obvious opportunity for user input and potential hacking is the Contact Form 7 email form. I looked through the plugin’s validation code, and while it does a good job at validating the various types of user input it doesn’t seem to do anything at all to anticipate or prevent malicious PHP injection hacks. My themes and plugins were not hacked, those were untouched, so it appears they went through the Contact Form 7 fields and gained access to the server that way.