First time using this plugin and have 2 Q’s

Hi Stratosphere thanks for replying and helping.

Yeah I disabled all the ones that appeared in the pic I attached but now I went ahead and deleted them completely after reading your reply. Before I deleted them I took the liberty of copying all the unique IPs that were on that shady list and put them in on my Cloudflare block list for good measure and on Wordfence block list too.

I don’t know what damage they have already done and I don’t know if taking those steps will UNDO whatever they are or were doing but hopefully they aren’t able to continue whatever it is they were doing.

Oh almost forgot, as for the files in wp-admin, well I don’t know what was there to begin with so I would be deathly afraid to touch anything in there lol. But maybe I need to have that looked at, do you think there could be diles in there that still lets them be able to do things like redirect traffic or whatever?
I am fairly upset with myself to know my site was being “violated” this way for so long, who knows what they were doing…I suspect redirecting because I had noticed a good bit of drop in traffic but can’t say for sure it was their doing or just normal course of events, though my Google traffic seemed to have picked back up…it used to be pretty good but then had started trailing of but again can’t say for sure that they are all related.

Ah well, I feel a little better knowing now I know a bit more of what to keep an eye out for and for tools like Wordfence and Cloudflare IP blocking etc.

Also thanks for making me aware about images.

As for XML-RPC I was actually reading up on that last night and read the pros and cons. Unfortunately one of the benefits (which I happen to use a great deal) is being able to post articles from your mobile, check stats etc.. are all relying on XML-RPC so I won’t likely disable it but have done a bunch of setting changes to keep as safe as reasonably possible (i hope). If ever I see it getting out of hand I may have to reconsider and sacrifice the convenience.

Thanks so much again for your time and help with this stuff, as I’m sure you can imagine it is nice to have the input.

It’s good that you deleted them, for me these hackers had old URL’s with content, images and kept requesting them – so in Options: I entered those URL’s of content that no longer exists and block anyone accessing them. So it stopped.

To find any further problems do a Scan, that will tell you.

Don’t be afraid – Wordfence corrects problems in wp-admin files, as I told you I had about 150 of severe errors and Wordfence restored all the proper files correctly.
When you see these issues there is a selection called: Fix the File, or Restore the WordPress file and it works beautifully.

If there are any left over hacks – Wordfence should be able to find them, if not refer to their service to fix those files. Sometimes yes they can remain and sometimes they are gone after a scan gives you the information to fix them. Keep doing scans to see if there are any issues.

Violated, yes I felt that too with 150 errors on my site, don’t sweat it – just fix it and it should return to normal. You are also using Cloudflare, so send them a support ticket also regarding access.
I noticed a drop in traffic also, but it wasn’t real traffic anyway, it was using your site as a conduit for spammy sites and its got to stop.

I am still getting someone in the USA ( I am not in the USA) from two source IP’s one is a Yandex bot from Russia and another in New York from Digital Ocean. On the server side I see my hosting server is getting hit from all over the world.

Therefore, I am going to upgrade to Premium Version, at $8. bucks/ month I will sleep better.

I don’t use XML-RPC and I don’t even know what it does, but for a little inconvenience I would rather be safe than sorry. Keep scanning and you are very welcomed.

I did run the scan on two separate occasions after removing the suspected whitelist and nothing new was found so I am thinking all is good now, so far.

As for the bots, I also get yandex but from what I’ve read I think they are a legit crawler bot but then there could be fake Yandex impersonators imitating a genuine bot. I’ve heard there are fake google bots too. Here is a link about Yandex bot: https://yandex.com/support/webmaster/robot-workings/check-yandex-robots.xml

I don’t know if you already know this, but you can also make things more secure by your robots.txt file, assuming you have one, if not you should set it up. I could help you with it if you don’t already have it. I’ve always had one but I recently learned that you can add “Disallows” for bots so they don’t crawl stuff you don’t want them to, like your plugins, certain folders etc… I’ve read that some of them ignore the robots.txt file but most will abide by it. It also helps for more efficient indexing by Google and other crawlers because they only focus on what you allow them to crawl instead of crawling things like cgi-bin, plgins etx that shouldn’t be crawled.

In my experience, bad bots ignore robots.xml especially this one, which has been confirmed and verified as a Yandex bot, but thanks for your reply.