WordPress hack from “system” post?

Our WordPress site (maintained by a third party) was hacked recently with the pharma redirects from Google searches.

We were not sure how they got in, but there were lots of login attempts on an "admin" account and some other name based accounts (e.g. "bob"). The third party company added the Sucuri Security plugin so we could see this after the first hack.

So we removed that account, and also added an IP whitelist to the .htaccess file for wp-login.php so that vulnerability scanners could not access it.

I also checked we had upgraded to the latest WordPress (version 5.7.2) and PHP (7.4). We also changed all the passwords on existing accounts.

This morning we had an error as the mo.php file had been incorrectly edited and the site was down.

I checked and we found more files in /wp-admin had been added, but there were no user logins to WordPress. There were these two "system" entries from a malicious IP: hack details

I am wondering if there is another weak route they have found. There is no user on our site called ‘security’.

Anything else I need to fix?