Nothing really. Only backups, and wait for a new hack.
I do not believe in “super-hacking-skills-that-used-to-hack-entire-infrastructure”.
I guess things very simple and stupid.
For example:
- premium nulled themes/plugins (very common thing)
- any plugin/theme/hook/php code/snippet taken from internet, instead of official wordpress repository
- using outdated plugin(s) / theme or using very new/unpopular ones with few users who installed the plugin
- using same password everywhere & on wordpress website too
- using short, simple password for wordpress too
- keeping open and on default location your wp-login page
- using very simple/stupid passwords for wordpress connection to database
- doing/using some php code on your website with what you’re not familiar but used to improve your website functions/features like custom input fields, forms, etc.
- modifying default configs of apache, nginx, etc that lead to security hole
What can be done?
- take backups from server somehow
- re-install entire OS on the server with changed password via your provider control panel.
There are no ways or reasons to keep potentially compromised operation system anymore if you do not know what happened or do not have a guess why that happened. - on your local computer turn off internet, and try to setup your website locally with laragon / openserver or wampp to see how it works.
- open chrome dev tools and check for sources
- go to plugins directory and themes directory → remove everything from there
- download clean copy archive of wordpress from official website
- compare folders of clean wordpress & your wordpress, file by file. Check differences, for sure you will find affected files, etc. Fix all of them, make identical to wordpress ones. Tools that can be used like: Meld, Araxis Merge, etc
- with wp cli you can try to clean your db, repair, check other stuff
- when wordpress files are clean, install any popular plugin to clean your wordpress for dirt of unused plugins
- now 1 by 1 return back your plugins via official repo
- now 1 by 1 return your theme or custom changes
- setup new hestiaCP cp with good password / etc
- setup cloudflare or sucuri WAF / firewall ([FEATURE] modsecurity or other waf · Issue #1859 · hestiacp/hestiacp · GitHub) how to install modsecurity correctly? - Vesta Control Panel - Forum Clarification on nginx/apache mod security? (sorry for wrong pointing)
- goaccess / or any other access.log analyzer to track what is going on with your access logs and time to time check that, to find out common patterns of attacks
- optionally you can setup with cloudflare cloudflare only in to your website, while all others requests to your website will be from cloudflare network only. I.e. hacker wont be able directly hack your website because of cloudflare WAF, etc (hard to explain why, for sure very small chances are still there, but still it’s much better than nothing)
- Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy to audit your system (./lynis audit system), will show common problems. This is just a tool, on default setup of hestiaCP everything ± great. But there is always room for improvements.
As you see - all of that require a lot of time, efforts, analysis, etc.
No fast or easy solutions.