Site hacked – again and again.(Spam sending, code injection)

You should take a look at this reference:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked

There are a couple of tools you can use to help detect damage that may have been done to your site:
Exploit Scanner plugin
Sucuri online scanner

Other things you should do:

• Change passwords for all users, especially Administrators and Editors.
• If you upload files to your site via FTP, change your FTP password.
• Re-install the latest version of WordPress.
• Make sure all of your plugins and themes are up-to-date.
• Update your security keys.

Just cleaning out files isn’t enough. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Did most of that.I even did a clean install of WP,on a new FTP acccount and NO plugins.3 days later,got hacked again.
Checked my DB to see other hidden users.Nothing.My password are changed and way too complex to be guessed.

I need to find how the intrusion happens.

Hi embrance

Have a look at your htaccess file and add :

# Empêcher l'accès au fichier wp-config.php
<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>
# Désactiver l'affichage du contenu des répertoires
# Options All -Indexes
# Alternative pour empêcher le listage des répertoires
IndexIgnore *
# Masquer les informations du serveur
ServerSignature Off
# Activation du suivi des liens symboliques
# Options +FollowSymLinks
# Protéger les fichiers .htaccess et .htpasswds
<Files ~ "^.*\.([Hh][Tt][AaPp])">
order allow,deny
deny from all
satisfy all
</Files>
# éviter le spam de commentaires
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.yoursite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>
# Sécuriser l'identifiant d'un auteur
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* - [F]
</IfModule>
# Désactiver le hotlinking de vos images
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ https://fakeimg.pl/400x200/?text=Pas_touche_aux_images [NC,R,L]
# Bloquer l'utilisation de certains scripts
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# Protection contre les injections de fichiers
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
# Protections diverses (XSS, clickjacking et MIME-Type sniffing)
<ifModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff”
</ifModule>

In this code, replace “yoursite.com” by your address website

Add # for desactivate that you don’t need (if you don’t want to break your site, add one protection at once, upload, test and if it is ok, add one more proteection (one by one)(and always ttest after add and upload > refresh browsner) (CTRL + F5 on windows) (i think)

hope this can help you

??

Tried this.Will wait some days to see if it helpes.
Thanks for the support.