So it seems like somewhere along the way the hackers managed to modify some files in HTML root once again. This wasn’t just me. A similar hack was used to take over thousands of WordPress sites.
I had to restore from backup again then set up some scripts to watch and report for unexpected changes.
Turns out they had access to the WordPress database as well, and that backdoor was saved in the backup I restored from.
After a simple manual cleanup and some plugin updates and removal, I believe the site is backdoor free and pretty well protected. I’m now looking forward to further hack attempts.
I will probably do a small write up on the methods they used and things that can be done to prevent it. Maybe it ends up helping someone with a similar problem.