I would like to know how to find how did that? What should I check?
Current users were checked.
Solved! Go to Solution.
There can be multiple reasons for you site hack. I advise you to make your site functional using previous backup and follow these steps before doing this.
1) Change the admin user credentials.
2) Use a custom admin path
3) Restrict your admin to particular IP address.
4) Change all the FTP,cPanel,phpmyadmin credentials.
5) If some third party worked on the site deactivate all the credentials for them if work is completed.
(admin login, users for SOAP and REST api,FTP, cPanel and others)
6) Disable FTP and start using SFTP.
7) Apply all the recently released patches release by Magento.
8) If you are still using Magento 1.3X series upgrade your Magento as no patches are released for this series.
9) Confirm with your hosting provider if they are PCI compliance or not?
10) If you are on shared hosting I advise you to switch to VPS plan.
11) Request you hosting provider to scan you project for any malware or viruses.
12) Keep your PC antivirus also updated and avoid saving the passwords on browsers.
For any suspicious user acitvity check Magento logs and server logs. Also check the Magento core files for any modification.