WordPress Site Keeps Getting Hacked? Here's Why & How to Stop It

Why your site keeps getting hacked

If your WordPress site is being compromised repeatedly — even after you have cleaned it and updated everything — there are a small number of root causes. Understanding which one applies to your situation is the first step to breaking the cycle.

The frustrating reality is that most repeat hacks are not new attacks. They are the same attacker (or their automated tools) re-entering through a door they left open the first time. Surface-level cleanup removes the symptoms — the spam links, the redirects, the injected scripts — but leaves the entry point intact. Within days or weeks, the infection returns.

The most common cause: undetected backdoors

A backdoor is a hidden piece of code that lets attackers re-enter your site without needing your username or password. When hackers compromise a site, the malware you can see — the spam links, the redirects, the defaced pages — is just the symptom. The backdoor is the real problem, and it is designed to be invisible.

Backdoors are commonly hidden in:

• The wp-content/uploads directory — This folder is writable by WordPress for uploading images, which means attackers can place PHP files there. Most security scans focus on plugin and theme files and miss this location entirely. PHP files have no legitimate reason to exist inside the uploads folder, but basic scanners rarely check for them.
• Encoded PHP files — Malicious code is often base64-encoded or obfuscated with tools like PHP Obfuscator to look like gibberish. To a basic scanner it appears as an unusual but non-threatening file. A forensic scanner decodes these files and analyses what the code actually does.
• WordPress core file replacements — Attackers replace legitimate files like wp-load.php or functions in wp-includes with modified versions containing backdoor code. Because the filename matches a known legitimate file, many scanners pass over it without inspecting the contents.
• Database entries — Malicious JavaScript or PHP can be injected directly into your WordPress database, inside post content, widget settings, or theme options. Scanning files alone will not find a database-level backdoor.
• Plugin and theme files — Even after you delete an infected plugin, if a backup or cached version remains on the server, the backdoor persists. Some hosting panels keep hidden backups in directories outside the WordPress install.

Why reinstalling WordPress does not fix repeat hacks

This is one of the most common misconceptions we encounter. Many site owners reinstall WordPress core after a hack, see the site looking clean, and assume the problem is resolved. It is not.

A WordPress reinstall only replaces the files inside /wp-admin/ and /wp-includes/. It leaves everything else untouched — your plugins, your themes, your uploads directory, and your database. Backdoors planted in any of those locations survive a full WordPress reinstall entirely. The site will appear clean for days or weeks, then become reinfected as the attacker or their scripts re-activate the backdoor and re-inject the malware.

Other reasons WordPress keeps getting hacked

Compromised hosting credentials

If your FTP, cPanel, or hosting panel password was part of the original breach, attackers may still have access at the server level — independent of WordPress entirely. Changing your WordPress admin password does nothing if they can still log into your hosting account and upload files directly. Server-level access bypasses all WordPress security measures, including two-factor authentication and security plugins.

After any WordPress hack, it is essential to change FTP/SFTP credentials, your cPanel or hosting panel password, your database password, and update wp-config.php to reflect the new database credentials.

Vulnerable plugin being re-exploited

If a plugin with a known vulnerability is still installed and active — even if you cleaned the malware it caused — attackers can exploit the same vulnerability again within days. Automated bots scan millions of sites constantly for known vulnerable plugin versions. These bots use public vulnerability databases like WPScan to identify targets. If your site is running a plugin version listed as vulnerable, it will be targeted repeatedly until the plugin is updated or removed.

The fix is straightforward: update all plugins immediately, and set up monitoring so future vulnerability disclosures trigger an immediate update.

Nulled themes or plugins

Nulled (pirated) themes and plugins frequently contain malware baked into the code itself. Every time the file is loaded by WordPress, it re-infects your site. No amount of cleanup will help if a nulled file is still installed — the malware is in the code, not in a separate file you can delete. The only solution is to remove the nulled software entirely and replace it with a legitimate licensed version.

Cross-contamination from another site

If you host multiple WordPress sites on the same hosting account and one is compromised, the malware can spread laterally to your other sites through shared file system permissions. Cleaning one site without addressing all others on the same hosting account will result in re-infection. This is a particularly common problem with shared hosting environments where multiple sites share a single cPanel account.

Weak or reused admin passwords

Brute-force attacks and credential stuffing (using username/password combinations leaked in data breaches from other sites) are responsible for a significant proportion of WordPress hacks. If your WordPress admin password appears in any public data breach — even from an entirely unrelated service — it is known to attackers and will be tried on your site. Use a unique, randomly generated password of at least 20 characters for every WordPress admin account.

How to tell if your site has an active backdoor

Some signs that suggest an undetected backdoor is present, even after cleanup:

• Your site is reinfected within days or weeks of a cleanup
• Google Search Console shows manual action or deceptive content warnings
• Your hosting provider has suspended your account for malware
• Visitors are being redirected to spam or phishing sites
• Unexpected admin accounts appear in your WordPress user list
• Your site sends emails you did not create
• File modification dates in wp-content/uploads show recent changes to PHP files

Any of the above is strong evidence that a backdoor remains active. A surface-level scan using free tools will frequently return clean results even when backdoors are present — these tools compare file hashes against known malware signatures and cannot detect custom or obfuscated backdoors.

How to permanently stop repeat WordPress hacks

Step 1: Full forensic cleanup — not just surface malware

A genuine cleanup requires scanning every file on your server, not just the WordPress install directory. This includes the uploads folder, any hidden directories, server-level configuration files, and your WordPress database. Every backdoor must be identified and removed. Forensic-level cleanup tools decode obfuscated PHP, check file modification timestamps against expected values, compare core files against official WordPress releases, and analyse database content for injected scripts.

If even one backdoor is missed, the site will be reinfected. This is why basic plugin-based scans often fail for repeat-hack situations — they are designed for initial detection, not forensic-level cleanup.

Step 2: Change every credential

After cleanup, change all of the following without exception:

• All WordPress admin account passwords
• FTP/SFTP credentials
• cPanel or hosting panel password
• Database password (and update wp-config.php accordingly)
• Any API keys or service integrations connected to the site
• Email account passwords, if those accounts are used for WordPress recovery

Step 3: Remove all unused plugins and themes

Deactivated plugins still present a vulnerability — their files remain on the server and can be exploited whether the plugin is active or not. Delete every plugin and theme you are not actively using. There is no benefit to keeping them installed. For themes, keep only the active theme and one backup theme (in case your active theme breaks after an update). Delete all others.

Step 4: Enable a Web Application Firewall

A WAF (Web Application Firewall) from Cloudflare, Sucuri, or Wordfence Premium blocks malicious traffic before it reaches your WordPress installation. It blocks known attack patterns, rate-limits login attempts to prevent brute-force attacks, blocks IP addresses with a history of malicious activity, and provides a buffer even when your plugins have unpatched vulnerabilities. A WAF alone will not stop a determined attacker with valid credentials, but it dramatically reduces the attack surface.

Step 5: Implement ongoing security monitoring

Once clean, you need to stay clean. This means daily automated scanning for file changes, new malware, and newly disclosed plugin vulnerabilities. Any unexpected change to a core WordPress file should trigger an immediate alert. An active WordPress maintenance service or security retainer handles this continuously — monitoring your site 24/7 and responding immediately when anything changes.

Step 6: Harden your WordPress configuration

After cleanup, apply security hardening to make future attacks significantly harder:

• Disable XML-RPC if you do not use it (a frequent attack vector)
• Restrict wp-admin access by IP address if your team works from fixed locations
• Enable two-factor authentication for all admin accounts
• Set correct file permissions (755 for directories, 644 for files, 600 for wp-config.php)
• Move wp-config.php one directory above the WordPress root if your hosting allows it
• Disable PHP execution in the uploads directory via .htaccess

When to call a professional

If your site has been hacked more than once, or if you have tried to clean it yourself and the infection returned, the most cost-effective path is a professional forensic cleanup. Security specialists know exactly where backdoors hide — including locations that basic tools never check — and have the tooling to find them all, not just the obvious ones.

The cost of professional cleanup (typically £1,000–£2,000 for a repeat-hack situation) is almost always less than the cost of continued downtime, Google blacklisting, GDPR breach notification obligations, and repeat DIY cleanup attempts that do not resolve the root cause.

WebAdish provides emergency hacked WordPress site recovery for UK businesses. Our process includes a full file-level forensic scan, complete backdoor removal, credential rotation guidance, WAF configuration, and a 30-day guarantee. If your site is reinfected within 30 days of our cleanup, we fix it again at no charge.