Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit.
Other things to consider:
- Change WordPress admin user passwords – done
- Change Hosting account user password
- Change FTP passwords
- Change MySQL db user password – done
Change the db table prefix- Update your wp-config nonces/salt
- Check your directory/file permissions
- Block directory-browsing access, via
.htaccess
- Go through everything in the Hardening WordPress Codex entry
- Go through everything in the FAQ My Site Was Hacked Codex entry
Related Posts:
- Verifying that I have fully removed a WordPress hack?
- If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
- Tips for finding SPAM links injected into the_content
- What should I do about hacked server?
- How can I find security hole in my wordpress site?
- How to prevent bot or someone to modify any file automatically?
- wp-config.php modified?
- Suspicious Files
- How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
- Malware script in database post table only? [closed]
- How can I safely hide the fact that my website runs on WordPress? [closed]
- My WordPress Websites are always under attack
- How to find exploited wordpress plugin [closed]
- Any known bugs that could cause disappearance of the wp_users table?
- On new server, site got hacked, permissions a bit strange? Please help
- Replace domain in database
- Remove hacked code – out of ideas! [closed]
- WordPress Database Re-installed (Hacked)
- Verifying that I have fully removed a WordPress hack?
- Could a user account with a stolen password compromised entire WP site?
- how to find the way they hacked my WP site
- How to stop repeated hack on header.php of custom theme? [closed]
- Is my WP site being hacked?
- Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
- WordPress Hacks/Defacing [closed]
- What’s the best approach for generating a new API key?
- Simplest two-way encryption using PHP
- How does the SQL injection from the “Bobby Tables” XKCD comic work?
- how fix “this certificate cannot be verified up to a trusted certification authority”
- How can bcrypt have built-in salts?
- Getting a List of Currently Available Roles on a WordPress Site?
- Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
- How safe / sanitized is wp_insert_posts()?
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- Why are passwords exportable as plain text in WordPress?
- What’s the difference between esc_* functions?
- How to set up fail2ban with WordFence?
- Is there a way to force ssl on certain pages
- What is the purpose of having a token in cookies?
- How is password strength calculated?
- Regular security checks – what steps should be included?
- What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
- WordPress “Site Health Status” trust it or myself for its security advice?
- Do Cookies Need to be Sanatized Before Being Saved?
- Disable external access to REST API Endpoint
- What is the wp-includes/certificates/ca-bundle.crt used for?
- Do you need to escape hard coded plain text?
- Encrypt emails?
- WordPress salts set in config and database
- Disallow file edit not preventing plugin install
- How to secure WordPress XMLRPC?
- Websites defaced by uploading script using theme editor
- Does WP show me if I’m logged in from multiple locations?
- Has anyone experience w/ WordPress (MultiSite) hidden users (possibly hacked)?
- Is it necessary to use esc_url with template tags such as get_permalink?
- WordPress Malware Problem help! [duplicate]
- Staging Site: Made Public – Security Questions
- Restrictive File Permissions
- Why are xmlrpc.php and wp-cron.php being called so often?
- Using esc_html with HTML purifier and CSSTidy: Overkill?
- wordfence scan warning on W3 Total Cache [closed]
- Is default functions like update_post_meta safe to use user inputs?
- No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
- Securing wp-config leads to sensitive information leak on wp-settings
- How to save iframe tag into a post?
- wp-json and what data does it give away?
- Is wp_kses the right approach in sanitizing this string?
- iTheme Security always lockout my account [closed]
- Is it sensible to worry about sanitizing admin input in plugin custom CSS?
- WordPress Front end Form – Enable to Submit PHP Codes
- Is it safe use wp_editor in public contact form
- Is WordPress MultiSite secure & how much can it scale? [closed]
- How safe is current_user_can()?
- Is it safe to give wordpress directories ownership to www-data?
- Troll the hackers by redirecting them
- Do we need to escape data that we receive from theme options?
- Why does WordPress change a file’s permissions?
- Side effects of disallowing *.php requests in production environment?
- Outgoing new connection to linked Websites – why?
- My Site keeps crashing due to the wp-confg file being deleted
- Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
- Does this code indicate an exploit?
- What highest security brake with wordpress and static files?
- Spam in WordPress root folder
- Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
- how to protect wordpress content from crawler
- Should I worry about SQL injection when using REST API?
- How can I backup my site if it gets hacked?
- Cannot access wp admin of WordPress website (security plugin issue) [closed]
- Why are the latest visits to my website originating from my own website?
- How do I hide WordPress users from security scanning?
- Background Updates Not Happening
- wp-config.php file and code injection
- FORCE_SSL_ADMIN affecting subdomains
- What is the best security $_POST method?
- My WP site and password was hacked, what to do? [closed]
- Move data from wp-config to another file
- Heartbleed: What is it and what are options to mitigate it?
- OpenVPN vs. IPsec – Pros and cons, what to use?
- How to test if my server is vulnerable to the ShellShock bug?