I have two wordpress sites. One of them was hacked about a year ago, and is still not behaving properly. One of the symptoms is that there's a DOS attack that sends hundreds to hundreds of thousands of requests for a non-existent page. I can keep this to hundreds by keeping "I'm under attack mode" in my cloudflare account, but this has side effects I don't want.
Another is that every time I edit a widget, procwatch (maybe, there's no easy way to tell that that's what's happening every time, but customer support says it is happening some of the time) turns off my account, so that I can't access either site, or log in via ssh. There are other actions besides editing widgets that do this, but that's the easy one for me to reproduce.
Does anyone else have this problem? Have you found a solution?