My WordPress smalll less than 10 page site has picked up malicious code that is causing two critical problems: a handful of pages suddenly return 404 errors, and the admin password keeps getting reset without my consent. I have not spotted any unfamiliar plugins or rogue themes in the dashboard, so the infection is likely buried deeper—perhaps in core files, the database, or hidden cron jobs. What I need from you • Identify and eradicate every trace of malware or injected script. • Restore all pages so their original URLs load correctly, with no redirects or missing content. • Lock down whatever exploit is letting attackers change the admin password. • Perform a full security hardening pass (file permissions, .htaccess rules, wp-config keys, PHP version checks, etc.) to close any other vulnerabilities you find. Acceptance criteria 1. A clean security scan (Wordfence, Sucuri or comparable tool) shows zero critical or high-severity issues. 2. All previously broken URLs load as expected—no 404s, no redirects. 3. Admin credentials remain unchanged for at least 48 hours after fix and hardening. 4. A brief report summarises what was removed, which files were modified, and the preventive steps applied. Please be comfortable working directly on the live server via cPanel/SSH and taking a full backup before you start. I’m ready to give immediate access so we can get the site stable again as soon as possible.