I have two active sites now, I just backed up the DBs prior to updating themes, plugins and cores. On of them had increased less than an MB and it has had some new content added which explains this. The other had increased 10MB and AFIAK is has not had any content added. I use very long, secure PW and often set the file permissions to remove public access to wp-login.php to prevent access. But rather than browsing through every page of the site to find out what was added, I’d love to see if any activity was logged.
Could it be a direct PHP injection? I thought the risk of those was properly countered several years ago at least.
WordPress keeps [revisions]) of posts and pages.
WordPress by itself does not track logins. There are common plugins that add functionality to track logins and other actions.