Site Hacked After WordPress 4.4 Update

(Note: I don’t have any reason to believe the hack is actually related to 4.4, but the point is that the fixes contained in 4.4 itself were not enough to prevent it I’d bet they got in via a plugin anyway).

My site was hacked, despite being protected by Wordfence and behind Cloudflare. They set up some phony myappleid stuff for phishing attacks and even their own email account! I still have no idea how they got in, but after scanning with the plugins from GOTMLS.NET and Sucuri.net, changing to even more paranoid passwords, and going through everything by hand for 6 hours, I think we’re good now.

Just to warn people that you can still get hacked even if you’re fairly paranoid, vigilant, and tech-savvy!