I had a server before and I'm the only one OP in it or with the restricted permission but there are people who managed to 'hack' the server and get OP(restricted perms) for themselves. I kept deoping and banning them but they kept coming with OP and stuff. Is force OP real? fyi i only got the password for the server's files and it's has like 20 characters
The common case is to use plugins from questionable sources. Those plugins can contain various backdoors for certain players to get OP (at very least). Other than that there may be a lot of reasons actually, so it's better to provide more info.
The same way as how your wallet got stolen. Your wallet is in your pocket, and you are attentive to every person walking nearby, and you occasionally check if it's still there. How come the money inside suddenly disappeared?
make sure plugins dont have backdoors having some command logger could kinda help checking user's permission helps too some might have * in pureperm some plugin backdoor might not need command to invoke(example throw a stick followed by stone to activate) regardless of the password length you should change it