My website just recovered from an attack. I found out that my XML sitemap still contains spam content:
http://xn--qucu-hr5aza.com/7pwclknquax4hdhux0rx.so 2020-04-13 daily http://xn--qucu-hr5aza.com/a0obuu 2020-04-13 daily http://xn--qucu-hr5aza.com/mp41229014ewmsm2ayay 2020-04-13 daily
However, my HTML sitemap is clean.
I am using the Google Sitemap Generator (XML) for WordPress, but it doesn't have an "update" or "reindex" button.
Is there a way to deal with this? And why can the attacker change my sitemap? Assuming you don't have my FTP password.