My wordpress keeps getting hacked. Twice already by the same people. All they do is add a redirect and send all my traffic to spam, malicious and other bad websites.
I’ve renamed login bath, blocked IPs from unnusual places with some rules but I am afraid it may happen again.
I disabled all extra admins and changed the passwords but since they are not even logging in the website, I felt that maybe they are getting a hold of some of the accounts liked to the admin level of my domain such as cloudflare or ServerPilot.
Any advice on what they could be changing to add these redirects and how I can protect my wordpress website?