My website has been hacked, which steps I should follow now?
tonight my website has been hacked.
I noticed that only thanks to Google that now show a Phishing Warning when I try to enter my website with Chrome or Firefox (with Edge Chromium everything is ok…)
By the way in the Search Console in Security Problems (I thinks so, I’m translating from italian… so maybe some word may be different ) Google alert me about this folder: wp-admin/network/god .
This is the content of that folder: https://1drv.ms/u/s!AgeF7StEHaDSaiOnWPK4BQ6nmM0?e=76LAfe
That folder was loaded in my website tonight, and I also found a new user in database created on 2020-11-03. I don’t know if this date is right, maybe the user was added hardcoding every info… is this possible?
I also found a index(old).php in my root folder that contains a lot of base64decode functions ( https://pastebin.com/9VW0NUbX )
I don’t know what is that, I’m starting now to "investigate", I’m writing this with a hope that someone could help me…
What I would like to know is: which steps should I follow to discover every file added, changed or deleted? And how can I discover HOW all this is occured? I update all plugins weekly.
How can I know how hackers have been able to add a user in database and to add a folder in my website.
I have a clean backup, the only secure way to clean my website is to reload everything?