Hacked

This week I was called to solve two hacking issues with WP websites which were developed by me.

In both cases I noticed that a plugin was installed: UBH CSU (Looked like some kind of plugin to adminster WP from some remote console)

In one case an ‘admin’ account was added (I never do this myself)

I always install the WordFence plugin by default and I checked the login attempt.
– In one case I saw a succesful login on name ‘admin’ (The account was there, just like that, without a previous succesfull login)
– In the other case there was succesfully logged in with the users correct login name (I always use the users last name, with a prefix and postfix as login name)

What I did:

– Of course I removed this UBH CSU plugin
– I checked WordFences scan results
– WordFence alerted on the UBH plugin files and one modfied WP core file. The plugin was already removed and I restored the original core file.
– I removed the admin user
– I created new backend logins with new names and new passwords and removed the old ones
– I changed the database password

My Questions:

1) Does anyone know more about this peculiar UBH CSU Plugin? (It has information about the creators and you can even see their )Facebook page

2) Did I take all necessary steps to clean up, or did I forget something important?

3) Is this an isolated hacking attempt, or is this a WP generalknow issue?