A hacked wordpress site. How to remove the redirection to a phishing site?

Good time of day. This morning there were reports from users that was broken all three of our website. Records:
Created two accounts with administrator rights.
When you log on to the website will redirect to a phishing site.
The website with the example autoamber.ru
How to remove call forwarding?
March 23rd 20 at 18:42
3 answers
March 23rd 20 at 18:44
First things first. If there is no backup, then the steps are:
  1. Go into your website database through phpMyAdmin (maybe you have something else)
  2. Find the table wp_options
  3. Replace addresses in sections siteurl and home address on your website

Now for the second. If you have outdated EAP plug-ins have not been updated, the crack can easily. After the restoration of the site, it is desirable to disable all plugins to check which of them have vulnerability. Just browse through the search engine. About the break any of your plugins on any note.
And Yes, not the fact that you aren't built into the site of any third-party js that is responsible for forwarding or just lying around the hacker that something is not required.
Often people put the broken plug-ins and through the floor out of the problem. I would recommend to disable all plugins that are not bought and change their counterparts is free, or buy the plug-ins. - Kennedi.Larson commented on March 23rd 20 at 18:47
@Kennedi.Larson, Yes, and this problem is fairly common. But in this case, the owner is his own enemy. I already came across this website. Transferred to the office, and there pyatachka WP Backery with surprises stood and Elementor Pro (also with them). Yes, at the same time. I wanted to laugh and cry, when he realized the scope of work. - Malcolm6 commented on March 23rd 20 at 18:50
@Malcolm6, found a "virus"? - Kennedi.Larson commented on March 23rd 20 at 18:53
@Kennedi.Larson, first at the site fought kasperskys. using AIbolit found virusno. There coinhive sat, which were downloaded using the integrated injection pirated wpbackery. Have cut the plug, cleaned the table with reference to a js file. Actually all treatment. - Malcolm6 commented on March 23rd 20 at 18:56
March 23rd 20 at 18:46
How to take: restore from backup )) to Brush longer.
How to defend: the right of access to files, login from certain ip, protection plugins,..
If VPS, then a lot of things you can think of.
March 23rd 20 at 18:48
Show for fun, a screenshot of the page with installed plugins
wanted your blacklist inept podeli update...
Suspicion fell on the Convert Plus. Only he was standing on all three sites - Ida_Grimes31 commented on March 23rd 20 at 18:51

Find more questions by tags WordPressProtection against hackingPhishing