I write this post just to know if someone has had this problem:
I have some sites that offer UHB (United Hackers Bangladesh) attack.
The PHP version on does sites ware mainly 5.6 (but also one site with 7.0 has been attacked).
They upload some files to the server on Plugins>Update folder and rename all users to admin and set new passwords.
I have noticed that sites with Wordpress installed on a subfolder wasn’t affected.
For now, I have updated PHP and all plugins and refine wordfence options.
Anyone have been attacked this way? Do you know how they attack? Is it Wordpress or PHP vulnerability.