Find the security hole on my site and prevent it

Question

Last day I've noticed that my wordpress site is hacked and a PHP backdoor shell is installed on my site. Virus scanner reported that a plugin file is inside my wp-content/uploads which I did not upload it myself. It included a wordpress plugin plus some php shells.

I don't know how this file placed there, by using this file, hacker could access root folder of my host, create files and change permission of file to allow them to be executed.

I don't know how does it help the hacker and what was the benefit for him/her but he/she could create a file on my host and claim my site as its property on google search console. I want to know:

1. How can I find the security hole on my site?
2. What was the benefit for hacker to claim my site as his/her property on Google search console? I removed him/her from google search console of my site but I want to know the risks that it might bring for me.

I'm using wordpress 4.6.9, I've used plain-ftp sometime for file transfers which I guess it might put me in trouble but I'm not sure. I also noticed change in size of database and host disk usage.

> [09/May/2018:11:23:46 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45264 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
[09/May/2018:12:01:48 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45165 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
[09/May/2018:12:22:13 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
[09/May/2018:12:22:15 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
[09/May/2018:12:22:17 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 17044 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
[09/May/2018:12:22:19 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
[09/May/2018:12:22:20 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
[09/May/2018:12:22:27 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 16927 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
[09/May/2018:12:22:29 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
09/May/2018:12:22:31 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 17044 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
[09/May/2018:12:22:34 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 48900 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
[10/May/2018:08:28:53 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:28:57 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:28:59 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:02 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:04 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:06 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99033 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:08 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99062 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:11:08:58 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45215 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)"
 [11/May/2018:08:51:13 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45110 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2913.70 Safari/537.36"
 [16/May/2018:06:33:19 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45322 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:51.0) Gecko/20100101 Firefox/51.0"
[16/May/2018:09:11:02 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 48747 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
[16/May/2018:09:11:06 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G935F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
[16/May/2018:09:11:08 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G935F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
 [16/May/2018:09:11:20 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
 [16/May/2018:09:11:25 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 16891 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
 [16/May/2018:09:11:29 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 16941 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
- [16/May/2018:09:11:32 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 16963 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
- [16/May/2018:09:11:35 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 16891 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
 [16/May/2018:09:11:27 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 40109 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
[17/May/2018:16:16:14 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:16 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:18 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:21 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:23 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:26 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99676 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:28 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99676 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
 [23/May/2018:16:46:27 +0430] "POST /wp-content/plugins/background-image-cropper/wp-post.php HTTP/1.1" 404 81920 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
 [23/May/2018:16:46:57 +0430] "POST /wp-content/uploads/kc_extensions/background-image-cropper/wp-post.php HTTP/1.1" 404 99574 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
 [24/May/2018:15:40:32 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45263 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2904.89 Safari/537.36"
 [28/May/2018:14:35:16 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45712 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"
[29/May/2018:12:22:32 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 90112 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[30/May/2018:01:44:44 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45559 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.62 Safari/537.36"
[31/May/2018:05:44:23 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[31/May/2018:05:44:24 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[31/May/2018:05:44:25 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[31/May/2018:10:04:27 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:29 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100303 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:31 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:33 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:37 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:39 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100560 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:42 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100560 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"

[01/Jun/2018:09:38:38 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100339 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:09:38:40 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100310 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:09:38:43 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100339 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:09:38:47 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100339 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:16:06:12 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101532 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[01/Jun/2018:16:06:19 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101503 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[01/Jun/2018:16:06:25 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101532 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[02/Jun/2018:07:24:00 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[02/Jun/2018:07:24:05 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[02/Jun/2018:07:24:11 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[07/Jun/2018:16:40:49 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 90112 "my.site" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
[07/Jun/2018:23:28:13 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 98304 "my.site" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"




[09/Jun/2018:14:32:25 +0430] "GET /wp-content/uploads/2018/05/background-image-cropper.zip HTTP/1.1" 404 101833 "http://my.site/wp-content/uploads/2018/05/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:33 +0430] "GET /wp-content/uploads/2018/05/background-image-cropper.zip HTTP/1.1" 404 101833 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:44 +0430] "GET /wp-content/uploads/2018/05/background-image-cropper.zip HTTP/1.1" 404 24684 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/05/Image_4-1-310x165.jpg HTTP/1.1" 200 13261 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/03/3338870a59339803fde5c832a78dc735-310x165.jpg HTTP/1.1" 200 12743 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/04/%D8%AD%D9%85%D8%A7%D9%85-1-310x165.jpg HTTP/1.1" 200 12613 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/05/Image_10-310x165.jpg HTTP/1.1" 200 19456 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:58 +0430] "GET /wp-content/plugins/WP_Visual_Chat/assets/images/administrator-2-128.png HTTP/1.1" 200 2999 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:58 +0430] "POST /?wc-ajax=get_refreshed_fragments HTTP/1.1" 200 411 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:58 +0430] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 35 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

Answer 1

hacker could access root folder of my host, create files and change permission of file to allow them to be executed.

So you have basically an unrestricted compromise of your system, and that includes all user data, database passwords, API keys …

Boy, you have some passwords to change. Have fun.

If your system is still running: Stop it. At this point, your server is not your own. You say you notice change in database and host disk usage, and the best explanations of that could be somewhere between abusing your system as an ad-serving bot, command and control backup of some botnet, and distribution of child porn.

The change in Google search console might point to a rather benign (planned?) usage in a scheme where your site was to be modified to generate illicit ad revenue, or just as forwarder to a different site. In any case, it indicates the takeover didn't just happen to mine some cryptocoin, so it's likely the original attacker had a different risk of detection / profit tradeoff in mind.

Stop it. Save a snapshot for later investigation / proof of innocence. Flatten system. Bring up new, minimal, system.

All this points to it really not being worth the time figuring out the security hole. Your system was insecure, and I'll be honest: it all probably starts with running WordPress with random plugins. So, in all brutal honesty that I can bring in the face of someone who probably "just wants to run a website":

Dump Wordpress.
Or only run it locally on your computer to generate static sites and upload these. But at that point, other CMSes become far more comfortable to use. Run your webserver in a container, separate from the database, with read-only access to your served content/scripts; SELinux today makes a lot of things easier to set up more securely. Use it; I've seen more than PHP shell being thwarted by a simple "nope, that process can't access anything but the folders it was meant to access" that SELinux offers. This is all "standard" these days, and all surprisingly easy (unless you follow some bad tutorial that tells you to "stop SELinux, because it's hard to use". Looking at you here, digitalOcean.)

I've used plain-ftp

Not good. TLS-encapsulated FTP is really available on any system these days. Or go straight for SSH/SCP (better file listing protocol than FTP); anyway, this is only a security problem if the malicious party was able to eavesdrop. But that can happen in shared hosting, in WiFis, home networks... so, no, unencrypted access to a server simply is unnecessary, and can be avoided at no additional cost or complexity. Don't.