Safety measurements, anything else I can do?

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Every new (or refreshed, in your case) self-hosted WordPress site needs “hardening”, and there is no better way to do that than with BulletProof Security at the gate and all service doors. Following that, Wordfence is great for throttling traffic and doing all the other things it can do. Out in front of all of that, NinjaFirewall can stop a lot of malicious traffic before it ever even reaches WordPress. There is where I block all traffic looking for certain foldernames that do not even exist anywhere within my installation.

Thanks both, that is valuable info! I read all the topics and hardened with Bulletproof and Securi Security. Iam going to take a look at NinjaFirewall.

One question left though. The hacked WP had 25 admin accounts, one of them was ours, the rest was hacked. I deleted all users in WordPress itself. Then I changed the login / pass / username of the main account in MySQL. The username was ‘admin’ and I wanted a harder loginname.

One strange thing now, is that according WordPress there still are 6 admin accounts, while I deleted all but on in WordPress itself. When I look at the usertable in MySQL, I only see that account, nothing else. Bulletproof, Securi and Wordfence didn’t find anything weird.

Anyone any idea what this means?

See: https://screencast.com/t/ruMhFc0xi

I have had times when the actual number of accounts and the Dashboard counter did not match, and that might even still be the case at one site or another. Wordfence Security logs login attempts hitting WordPress, and I am not concerned about the number discrepancy since I have yet to see anything unusual in the logs…but your own mileage may vary, of course.