My process for cleaning a hacked site includes changing all credentials (user/pass) on hosting, FTP, WP (don’t use an admin-level user called ‘admin’) updating everything- from the repository – WP, themes, plugins. Remove old/unused plugins and themes use FTP of file manager to check every folder for files that look out of place (look at … Read more
Nice job recovering your password, however, the exploit probably still exists so you might get hacked again. Your next step is to find and seal up the security hole. It could be a plugin. It could be a theme. Download and run the Sucuri plugin to help you figure it out.
This is a great article on WordPress security, loads of great advice… https://codex.wordpress.org/Hardening_WordPress. I’d follow the advice in the article above, and make sure to change all your passwords for FTP, blog login, etc so they’re all unique, long and random.
Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords! Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php … Read more
If you have a backup of your site from before the hack, just restore it. (If you don’t, consider making backups next time!) Otherwise, you’ll have to review the code in every file in your theme and plugins to find the nasty bits. To expedite the process, you can update/re-install themes and plugins from third … Read more
You need to secure your WordPress install. Start by removing this file and any other suspicious files, then running a reinstall via the backend. Run a plugin such as this as a guide to see which themes and plugins may be secure: http://ocaoimh.ie/exploit-scanner/ Also make sure all other WordPress installs on the server are similarly … Read more
They run it on your server, just like any other script runs (including WordPress). In the log you provided, it looks like the hacker knew your password. Perhaps you are using the same password on other sites, and he somehow gained access to one of them? Always set different and complex passwords; combine a large … Read more
There are many things that I do to check a possible hack on the site. Changing FTP users/passwords, reinstalling WP, reinstalling themes/plugins, changing user account passwords (especially admin level), change hosting credentials. I wrote an entry on my own site to remind me (most of the stuff there is my own ‘notes’ to myself). May … Read more
I’d guess that there is some rogue code on your site. (Assumption, since I don’t know your site URL.) You’ll need to check everything: update (from known good source) everything (WP, themes, plugins), then look at each folder for a file that doesn’t have the current date (since you just updated everything). Change the credentials … Read more
Any subscriber can’t do any harm to your site even if he wants it. https://wordpress.org/support/article/roles-and-capabilities/