Since the last one week, my wordpress website is getting hacked multiple times. Each time, the attack is more severe and right now I need urgent help to restore the website and also try to fix the rootcause.
1st Attack: Around Feb 22nd
The attack redirected my website to a malware site. I accessed the files from the backend and found some corrupted files. Deleted those. Deleted and restored all plugins and content folder from backup.
Website was restored.
2nd Attack: Around 10 hours ago
As I looked at the files again and issued looked like the same. But this time, even after deleting all files but wp-config, and adding new files from wordpress download, nothing changed. the redirection was still on. So, the conclusion was that the database was also hacked. So we did a clean install from scratch and it was restored.
3rd Attack: Around 04 hours ago
Not sure why but the hacker has found a linking to my unpopular, trafficless site. Anyway, this time, the issue is more severe. I have deleted all the content, renamed the folder and yet when I put the url (harishmarnad.com) it continues to be hacked.
I have used free Cloudflare protection which points to my Hostgator account. If there is no folder there on the hosting provider, the website should not load anything. I am not sure where could the redirection be? If it is not in the website content files if it is not in the database, then where could it be?
I have got to the HostGator support team and they are taking their own sweet time to scan and come back. I need to look for alternatives as I have almost run out of ideas.
Anyone here can guide? any ideas on how to get to the problem? What can I do next to identify the problem and hopefully fix it? Also need guidance on how to avoid another hack but that seems to be far away.
Any help will be highly appreciated.
EDIT: I had basic wordfence on even before the first attack. But since then, we have had itheme, secure (free version) on as well.
EDIT2: After the most recent hack, I was made to think that the website is still hacked even after deleting all the files and folders from the website. It was because of cache. Others have pointed out that the website is not loading.