Got the latest BWPS. I suspect that the hacker has gained access to the admin page (and stored/cached the URL) when the previous version has failed to hide the backend properly.
The new version seems to hide the backend (to the best of my knowledge), but I have no way to change the secret code (bottom of hide backend config page) as the hackers are still hitting that page directly (with hide backend enabled and admin urls changed multiple times). Is there any way to change the secret key? Thanks!