WordPress Site Keeps Getting Hacked? The 7 Real Reasons Why
Cleaned your WordPress site and it got hacked again? You are not being targeted. Backdoors (found on 49% of hacked sites), rogue admin users, stolen hosting passwords, and unpatched plugins bring attackers back. Here is how to break the loop for good.

Video transcript
You cleaned your WordPress site completely. Then, forty-eight hours later, you're hacked again. What's going on? When you only clean the damage without removing the root cause, attackers don't need to work. They still have a way back in. Backdoors are hidden keys attackers leave behind. Nearly fifty percent of hacked WordPress sites have them. You clean the house, but they simply walk back in through the same door. Attackers create fake admin accounts you don't know about. It's like someone duplicating your house key. You change your password, but they keep full access. Unpatched plugins are open vulnerabilities. Attackers scan for outdated WordPress plugins daily. An old plugin is an unlocked front door. Break the reinfection cycle: find backdoors, audit every admin account, secure your credentials, and patch everything immediately. Read the complete guide at protego dot me.
You cleaned your site. Two weeks later the spam pages were back. You cleaned it again, changed your WordPress password, maybe even paid someone on Fiverr. Hacked a third time. At this point most people conclude the hackers are targeting them personally. They are not. Your site keeps getting hacked for a boring, fixable reason: the cleanups removed what you could see, but not the way the attacker gets back in.
The one sentence that explains reinfection
A hacked website is not a mess to be tidied, it is an open door plus whatever came through it. Every cleanup that only deletes the visible malware, the spam pages, the redirect code, the weird popups, leaves the door itself: a backdoor file, a stolen password, or an unpatched plugin. The attacker (usually an automated script, not a person) simply walks back in on schedule.
This is not speculation. Sucuri's report on thousands of professionally cleaned websites found that 49 percent of compromised sites contained at least one backdoor at the point of infection, and their analysts removed over 21,000 backdoors in a single year. Miss one, and the cleanup was cosmetic.
The 7 ways your site gets rehacked
1. A backdoor survived the cleanup
A backdoor is a small file, often 1 to 3 lines of scrambled PHP, that lets an attacker run commands on your server through a normal web request. They hide in places cleanups skip: the uploads folder (which should never contain PHP at all), the wp-content/mu-plugins folder (plugins that load automatically and never appear in your normal plugin list), old theme folders, and even inside the database. If your site keeps coming back infected within days or weeks, this is the number one suspect.
2. There is an extra admin you never created
In the same Sucuri dataset, 55 percent of infected databases contained a malicious WordPress admin user. Attackers create their own administrator account so that even a perfect file cleanup changes nothing: they log in through the front door. Check Users in your dashboard, and do not stop there: also review FTP accounts and any "application passwords" under each user's profile.
3. The original hole was never patched
Most WordPress hacks come through a vulnerable plugin. Patchstack's State of WordPress Security 2026 counted 11,334 new WordPress ecosystem vulnerabilities in 2025 (up 42 percent from the prior year), with 91 percent of them in plugins. If the plugin that let the attacker in is still installed at the same version, cleaning the site is like mopping the floor with the tap still running. Two more numbers from the same report explain why this loop is so fast: for heavily targeted flaws, the median time from disclosure to mass exploitation was 5 hours, and 46 percent of vulnerabilities had no patch from the developer at disclosure time.
4. You restored an infected backup
If the backup you restore was taken after the first compromise, you are reinstalling the malware and the backdoor together, timestamps and all. When a site has been hacked repeatedly, treat every backup made since the first incident as suspect. Restore from before the first infection, or restore files selectively and scan everything.
5. The attacker has your hosting password, not your WordPress password
Changing the WordPress admin password does nothing if the attacker logged your FTP or hosting control panel credentials. With hosting access they can rewrite any file regardless of what WordPress thinks. After a reinfection, rotate everything: WordPress users, database password, FTP and SFTP, the hosting panel itself, and the security keys in wp-config.php that keep old login cookies alive.
6. A neighbor site on the same account is infected
If you host several sites under one hosting account, they can usually read and write each other's files. Cleaning one site while its neighbor stays infected is a revolving door: the infection walks sideways back in. Clean all sites on the account in the same pass, and consider isolating important sites on separate accounts.
7. A scheduled task reinstalls the malware
Some infections add a cron job (a task your server runs on a timer) that re-downloads the malware every day. Your cleanup works for a few hours, then the timer fires. Check both WordPress cron and the server's crontab:
# WordPress scheduled tasks (look for hooks you do not recognize)
wp cron event list
# Server-level scheduled tasks
crontab -lThe break-the-loop checklist
Do all of it in one sitting. Partial cleanups are how you got here.
- Put the site in maintenance mode and take a snapshot for reference.
- Update WordPress core, every plugin, and every theme. Delete anything inactive, and anything "nulled" (pirated premium plugins are a common source of preinstalled backdoors).
- Reinstall core, plugins, and themes from official sources instead of trusting existing files.
- Hunt backdoors: PHP files in uploads, the mu-plugins folder, files modified at odd times, and obfuscated code (
eval,base64_decode) in places it does not belong. - Delete admin users, FTP accounts, and application passwords you did not create.
- Rotate every credential: WordPress, database, FTP/SFTP, hosting panel, and the wp-config security keys.
- Check scheduled tasks (both lists above) and remove anything you cannot explain.
- Scan every other site on the same hosting account.
- Verify from the outside with a free remote scan and, if Google flagged you, request review in Search Console.
When to stop doing this yourself
If you have been through two or more cleanup rounds, the honest read is that something in steps 4 to 8 keeps getting missed, and each round costs you rankings, visitors, and a weekend. A professional incident response service exists for exactly this situation: Sucuri's malware removal includes backdoor hunting and unlimited repeat cleanups in the flat annual price, so a reinfection costs them time instead of costing you money.
And whether you clean it yourself or not, put a web application firewall in front of the site afterward. The firewall blocks exploit attempts before they reach your plugins, which is the practical answer to the 5-hour exploitation window nobody can patch against manually. Patchstack's testing also found standard hosting defenses blocked only about a quarter of vulnerability exploit attempts, so "my host handles security" is unfortunately not a plan. Sucuri's firewall virtually patches known plugin holes at the edge while you update on your own schedule.
Frequently asked questions
I changed all my passwords. How are they still getting in?
Because passwords are only one of the seven doors. Backdoor files, rogue admin accounts, unpatched plugin holes, infected backups, cross-site contamination, and malicious cron jobs all survive a password change. Reinfection nearly always means one of those six is still live.
Will deleting WordPress and reinstalling fix it?
Reinstalling core files helps but does not finish the job: backdoors live in uploads, mu-plugins, and the database, all of which survive a core reinstall. A rogue admin user survives it too. Reinstall as part of the checklist above, not instead of it.
Do I need to burn it down and start from scratch?
Almost never. A complete cleanup (files, database, users, credentials, scheduled tasks, neighbors) plus patching the entry point ends the loop. Starting over without understanding the entry point often ends with the new site hacked the same way.
Is my hosting company supposed to prevent this?
Hosts secure the server, not your WordPress application. A vulnerable plugin is your side of the fence, and the data backs that up: most exploit attempts sail past generic hosting defenses. Some hosts do offer malware scanning as an add-on, but application-level protection is on you.
How do I find a backdoor myself?
Start with: any .php file under wp-content/uploads, anything in wp-content/mu-plugins you did not put there, files with modification dates during the incident, and grep hits for eval(base64_decode. Compare suspicious plugin files against fresh copies from wordpress.org. If that sentence sounds like a foreign language, that is your sign to hand it to a professional.
The short version
Your site is not cursed and you are not being targeted. It keeps getting hacked because cleanups keep removing the symptoms while a backdoor, a rogue account, a stolen credential, or an unpatched plugin stays behind. Run the full checklist once, properly, then put a firewall in front and turn on auto-updates. Sites that do this stop appearing in the reinfection statistics.
Related reading: Is my website hacked? How to check and fixing the Deceptive Site Ahead warning.
Recommended: Sucuri
Website security platform: firewall, malware scanning, and DDoS protection.
Security Hardening Checklist
Essential security controls for cloud-native applications and infrastructure.
No spam. Unsubscribe anytime.
Get weekly security insights
Cloud security, zero trust, and identity guides: straight to your inbox.
Continue Learning
SOC Analyst Level 1 Roadmap
Get job-ready for your first Security Operations Center role.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Share this article
Questions & Answers
Related Articles
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us