I’m under attack: systematic changing of passwords

I run a wordpress site on a Digital Ocean droplet. This morning I received 12 automated emails saying user passwords had been changed. Two emails were for accounts I’m the owner of; one of these was the admin account. When I tried to login to my admin account it said the password was wrong. I’ve managed to regain access but want to find out how this happened.

I take security quite seriously, and have followed the WordPress hardening guide. Since this breach I’ve installed the Sucuri plugin. In the audit log it’s showing every minute several failed attempts to login to my admin account, as well as some other accounts.

The problem is that Sucuri hasn’t found anything that looks like a problem. It says “Core WordPress Files were modifies”, and this list:

• Default.html
• browserconfig.xml
• manifest.json
• php_errorlog
• wp-admin/php_errorlog
• wp-includes/php_errorlog
• .htaccess

I’ve had a look at those and don’t see anything wrong.

Could this be a mass bruteforce attack? My user password was more than 16 random characters.

If it’s not bruteforce, and my site has actually been infected, how can I try to find the cause? I’ve tried an external security scan of the site using Quterra, but this showed nothing wrong.