Compromised server running WordPress advice

I have a fully patched Windows 2008R2 Server running IIS 7.5. Recently, the server was compromised and I found “cron.php” files located in a number of WordPress root directories on the server. When called over http these cron files would create thousands of .html files within sub folders that link to a Chinese site.

I enabled IIS logging and have blocked the offending IP addresses via Windows firewall and via IIS 7.5 IP restrictions.

I have cleaned the WordPress directories and reinstalled WordPress within all effected sites.

I have also revoked write access to the root WordPress folders.

However, I am still seeing post requests attempting to reach the cron.php file within each WordPress site (which no longer exists). Here is an example log entry…

2015-09-15 20:54:51 xxxxxxxx POST /cron.php – 80 – 142.0.132.25 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537+(KHTML,+like+Gecko) 403 6 5 374 2015-09-15 20:54:52 xxxxxxxxx POST /cron.php – 80 – 142.0.132.25 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537+(KHTML,+like+Gecko) 403 6 5 136

The 403 tells me that the request was denied.

My question is, is there any further action I can take to stop these requests being attempted? Any advice would be most helpful.

Please let me know if I can provide any further information.

Thanks,

Paul.