This is how I solved the problem.

1. Create a text file named ".htaccess" (without the quotes and begining with .) and put the following contents to it:

order deny,allow
deny from all

allow from

where is your IP address. If you need to add more IP addresses, just add new lines with allow from

You can check your IP here

2. Upload this file to the following directories:


3. Change all the passwords of the WP and DAP admins

4. In Paypal regenerate your
Paypal API USER,

Paypal API Signature

and put the new ones in Setup -> Config

5. If your users login through WP (it is unlikely but possible), they can login at yoursite_dot_com/wp-login.php

DAP has nothing to do with this security issue.