Thanks for checking the search, but I had them running all kinds of versions. I have seen one thing unusual in most of them wp-cron seems to have been affected. Other in commons are the ip addresses are russia, some iran and russia. Also one of those sites I checked yesterday and it was fine, then I find a dated 6-21 file change on the them index and styles, which appears they hacked it a few days ago but it didn't take effect??? Maybe it was my browser cache. ??? not sure.
I am wondering if wp-cron has someway of being activated and how I can check this.
on those same ip addresses I also had one of them hitting /load-scripts.php
These guys have caused me hours of work fixing. they delete the admin email address, so no use of lost password and have to go to mysql to directly change the user email.