Theoretically, files could also be manipulated via plugins or themes in WordPress that are not kept up to date. I would recommend that you scan the website for this. Have a look at WordFence: https://wordpress.org/plugins/wordfence/
If anything is discovered, read this article: https://wordpress.org/documentation/article/faq-my-site-was-hacked/
Thanks, I use Wordfence on all my sites. I also use a plugin that tracks logins and activity. There were no logins other than my own. It also tracks failed logins and there were a few of those (Wordfence also notified me of those). The login viewer would tell me if a plugin was installed/deleted/modified.
Then it’s strange. Did you change the password after the incident?
Do you have an FTP log available from your hoster?
Do you see any other changes to files at the time the file was written? You can easily see this via FTP if you sort everything by date and click through the folders.
Does your hoster also have WebFTP access or an interface with which you can access the files in the hosting in a graphical interface? If so, there is certainly also a web access of your hoster whose password should perhaps also be changed.
Really good points, especially the last one. I use IONOS and will check with them about logs and will change my master PW there.
