I have a WP website that we transferred over from another provider. I now know it was compromised when I received it. So here's what's going on...
Every now and then, maybe every 2 months or so, I will log in and see that, in the settings, the "Admin Email” has been changed to something else. The membership box allowing anyone to register has been checked. And the “New User Default Role” has been changed to Administrator.
These are the only changes that are appearing. There are no new users and none of the other site files have changed. I suspect someone is gaining access to the DB even after I have changed all credentials including the DB name.
What I have done.
-Changed the DB user and pass
-Changed the WP DB prefix
-New user registrations are held in moderation until manually approved (not that this happens)
-Installed WP Security and whitelisted ONLY 2 IP address that have access to the admin
-Changed the /wp-admin to a custom admin login page
-Wordfence is installed and blocking IP’s that cross a number of thresholds and not allowing usernames to be revealed.
-WP Security has been fully enabled to hid WP version, remove headers and lots of other things.
-A list of Invalid usernames are immediately blocked but since the Bruteforce IP whitelisting, this has NOT been an issue
The only variable that I am not sure about is the theme that came with the site. It’s using a BizNiz Premium Wordpress Theme by WP Titans.
Any obvious things that I can look at that maybe I am missing? Thanks in advance for your help.