If you are using the plugin Easy WP SMTP for sending site emails using SMTP, make sure that you update to version 18.104.22.168. Do not delay updating any of your child sites, as using the unfixed version of the plugin gives your child site a high chance of being hacked.
The hack will take the form of an admin user being created, due to a vulnerability in the older unpatched version of the plugin. The
siteurl will then be changed to an external site. This means that user permissions might be changed, and the site will not load correctly when the
siteurl value is not correct.
If you need a short-term fix to be able to get into a wp-admin of the site which was hacked, you can define home and
siteurl in the child sites wp-config.php file.
Once you have got into wp-admin of the site and changed
siteurl and home from Settings > General.
Then you can remove the constants for
siteurl and home set in the child sites
If you can access phpMyAdmin, select the site’s options database table. In the siteurl option value, change the URL back to match the correct site URL, and save the change.
To correct the hack, look for any admin users which did not exist previously. Also, look for any users who have had permissions changed. Also, look that the permissions in the
wp_user_roles option name is set correctly. Since this could mean that all users on the site, including subscribers, have admin permissions. If you have a recent backup before the hack, restore from that backup, then make sure that the Easy WP SMTP plugin is updated to the most current version after the site has been restored.
It is also recommended that you can run a scan on the child site, to make sure that nothing else has been changed on the site, two recommended plugins would be NinjaScanner – Virus & Malware scan or Anti-Malware Security and Brute-Force Firewall.
By keeping child sites plugins updated at all times and staying up to date on newer plugins, you can prevent hacks and security breaches, which will keep you and your clients happy.