There was been a wealth of core and plugin vulnerabilities of late which were being exploited days after disclosure. If you didnt update wordpress or plugins for a short time you might have been hit.
Id normally recommend going overkill on a cleanse if you don't know, or don't have the ability to analyse the logs to find how and when it was done.
- Save wp-config to your machine
- Save wp-contents folder to your machine
- Delete everything from server.
- upload newly downloaded wordpress files
- upload wp-config to the new install checking there is nothing in there that shouldnt be compared to the default wp-config. ( If you have custom rules in htaccess its worth saving that too, but check again for things which shouldnt be in there )
- Do a virus and malware scan of your wp-contents folder for obvious nasties. ( this still wont pick up backdoors as generally they are simple php files which are not malicious , hence the reason for deleting everything else and taking additional steps mentioned below )
- Upload the wp-content folder back to the newly uploaded wordpress apart from the plugins folder
- download fresh copies of all the plugins previously installed. ( do not upload the old ones and overwrite ).
Once all of the above is done you should be left with everything new apart from your uploads and theme folder. Enable wordfence and in the options there is a tick box at the bottom saying "Disable Code Execution for Uploads directory". Its also worth ticking :
- Hide WordPress version
- Block IPs who send POST requests with blank User-Agent and Referer
- Immediately lock out invalid usernames
- Don't let WordPress reveal valid users in login error
- Prevent users registering 'admin' username if it doesn't exist
- Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, and the WordPress REST API
I also add these usernames to the "Immediately block the IP of users who try to sign in as these usernames" option ( obviously this is counting on you not having one of the following as your admin login ) :
- admin
- administrator
- qwerty
- root
- user
- test
- (your site name, eg: ) acorndomains
All said and done, that should leave your theme folder the only thing which is unchecked, you should check each template for code which shouldnt be there.
There shouldnt be any reason that wordfence should slow the site down unless its having to deal with something, slowness could have been a sign to keep wordfence enabled rather than disabling it. I dealt with 3 people last week that were complaining about the same thing, all 3 of their sites were being hit every 20 seconds by 13 different IP addresses, not enough to be considered an attack but with out the noticeable slow down they could have been doing that for months undetected.
Obviously if you can analyse log files, all of the above can be missed as you can probably trace back to how and when it was done.
Passwords, its also worth changing all passwords and making sure there isnt any users in the database who have suddenly given them selves admin permissions. Passwords include : Cpanel, FTP, WP admin and WP database user/password.
Once happy you are reasonably clean, make sure the wordfence web application firewall is setup correctly, it maybe in learning mode if its newly setup , that's fine it will activate once its finished learning.