I'm wondering: if a user has had his WP admin (admin role) access revoked, but previously has had full site access, but no FTP/SSH, what would be the preventive measures to avoid this user regaining access?
I'm thinking that the user could have installed and deleted a ftp plugin and could have accessed contents of wp-config.php, therefore accessing Salt keys and DB user&pass.
Salt keys can easily be resetted (viva Defender!), but what about the DB? can it be somehow accessed remotely if set to "localhost:3306" in wp-config.php?
Is there any other option the site could be compromised? (considering we checked for added users and uploaded plugins).