Maya remembered a HackTricks trick: "Check for .git exposure on WordPress sites."
There it was. A rogue cron job running wget from a shady IP in Estonia every Wednesday at 6 PM, pulling a malware.sh script.
"Let's see where they hit you," she muttered.
"I've stopped the redirect. But you're still compromised. The attacker has wp-config.php . Change every password. Salt the hashes. And for God's sake, remove wp-file-manager ."