DEV Community

MD Pabel
MD Pabel

Posted on • Originally published at mdpabel.com on

Why WordPress Malware Keeps Coming Back (And How to Stop It Forever)

#cybersecurity #security #tutorial #wordpress

Is your WordPress site stuck in a nightmare loop?

You scan the site, delete the infected files, and see the “All Clean” green checkmark. You think the battle is won. But then—often exactly at midnight or 24 hours later—the malware is back. The redirects start again. The hosting provider suspends your account.

Sucuri SiteCheck showing clean results while WordPress malware remains hidden - The Reinfection Loop explained

This is the “Reinfection Loop,” and it is the single most frustrating problem for website owners.

I have cleaned thousands of hacked sites, and here is the hard truth: If your site keeps getting reinfected, you didn’t miss a file. You missed a mechanism.

Scanners like Wordfence or Sucuri are great tools, but they often miss “smart” malware that hides in the database, disguises itself as a legitimate plugin, or lives inside your cron jobs.

In this guide, I will show you exactly where the infection is hiding and how to break the cycle permanently.

⚡ Quick Fix Guide: The “Cheat Sheet”

If you are in a hurry, check these 5 hidden spots immediately. Most reinfections come from here.

  1. Check WP-Cron: Install a cron manager plugin. Look for events with random names (e.g., wp_update_core_sys) that run every hour or at midnight.
  2. Hunt for “Ghost” Admins: Check your Users list. If you see nothing, check the database (wp_users table) directly. Hackers often hide their admin accounts from the dashboard.
  3. Inspect wp-content/mu-plugins: This folder loads plugins automatically. If you didn’t put a file there, delete it.
  4. Look for “Fake” Plugins: Check wp-content/plugins for folders that look official but aren’t (e.g., wp-compat, wordfence-security-pro-patch).
  5. Replace Core Files: Don’t just clean them. Download a fresh copy of WordPress and replace wp-admin and wp-includes entirely.

🔑 Key Points: Why “Clean” Sites Get Hacked Again

  • Scanners have blind spots: Most scanners look for known malware signatures. If a hacker writes a custom backdoor, the scanner sees it as “safe” code.
  • The “Time Bomb” effect: Hackers use Cron Jobs to schedule a re-download of the virus. You delete the virus file, but the “alarm clock” (Cron) is still ticking.
  • Hidden Entrances: Backdoors are often hidden in innocent-looking files like images (.jpg, .gif) or fake plugin folders.

Reason 1: The “Green Scan” Lie (Why Scanners Fail)

The biggest mistake I see clients make is trusting the “Green Shield.” You run a scan, it says “No Malware Found,” so you assume the site is safe.

Here is why that is dangerous.

Sophisticated malware developers know exactly how security plugins work. They write code that looks legitimate. For example, I recently analyzed a site where the malware was hiding inside a plugin that looked like a “compatiblity fix.” It was called wp-compat, and it had a backdoor that allowed the hacker to upload files whenever they wanted.

Example of fake wp-compat plugin folder in cPanel containing hidden WordPress malware backdoor

Read more: The wp-compat Plugin: The Hidden Backdoor in Your WordPress Site

Because the folder name looked “boring” and technical, the site owner ignored it. The scanner ignored it too, because the code inside used standard PHP functions—just used maliciously.

The “Official Plugin” Trick

Another common tactic is creating folders that sound like they belong to WordPress or popular plugins. I have seen malware hide in folders named wp-security-team or wordpress-core-update.

If you see a plugin in your file manager (cPanel) that does not appear in your WordPress Dashboard plugin list, it is almost certainly malware.

Read more: New Malware Alert: The Fake “Official” Plugin Attack

Reason 2: The “Midnight” Reinfection (Cron Jobs)

Does your malware come back at a specific time? Maybe every day at 12:00 AM or every 6 hours?

This is a classic sign of a Cron Job Hack.

WordPress has a built-in scheduling system called WP-Cron. It handles scheduled posts and update checks. Hackers love this feature. They inject a tiny line of code into your database that says:

“Every day at 00:00, go to this external URL, download the virus, and reinstall it.”

WP Control screenshot showing malicious cron job event wp_update_core_sys scheduling malware reinfection

You can delete every malicious file on your server, but if you don’t delete this instruction from the database, the site will re-infect itself automatically. This is why you feel like you are chasing a ghost.

Read more: Why Malware Keeps Coming Back: Hidden Cron Job Hack Explained

Reason 3: Ghost Admins and Hidden Users

Sometimes, the “virus” isn’t a file at all. It’s a person.

When hackers break in, the first thing they do is create a backup Admin user for themselves. But they are smart—they add a snippet of code to functions.php that tells WordPress: “Do not show this user in the Users list.”

You look at your “Users” page, and you see only yourself. Meanwhile, the hacker logs in every night using their hidden account to re-upload the malware you just deleted.

To catch this, you cannot rely on the WordPress dashboard. You must look at the wp_users table in your database (using phpMyAdmin) or use a deep-scan method.

phpMyAdmin wp_users table showing hidden ghost admin accounts created by hackers

Read more: How to Find and Remove Hidden Admin Users in WordPress

Reason 4: Malware Hiding in Images (.jpg, .gif, .ico)

You might think, “It’s just a picture, it can’t hurt me.”

Wrong.

One of the sneakiest reinfection methods involves hiding PHP code inside image files. The hacker uploads a file named logo.jpg. If you open it, it looks like a blurry image or just code gibberish. But the server is tricked into treating this “image” as an executable program.

I recently found a backdoor hidden inside a .gif file. The scanner skipped it because scanners are configured to skip media files to save speed. This left a permanent open door for the hacker.

Malicious PHP code hidden inside a fake GIF image file detected by Wordfence

Read more: Can a JPG File Contain Malware? Uncovering the Fake Image Backdoor

Read more: The Hidden Threat: How Malware Hides in GIF Files

Reason 5: The .htaccess Redirection Trap

If your site is redirecting to gambling or pharmaceutical sites (especially on mobile devices), the problem is usually in your .htaccess file.

This file controls how your server directs traffic. Hackers inject rules here that say: “If the visitor is coming from Google, send them to getfix.win.”

The tricky part? They often add 500 lines of “white space” before the malicious code. When you open the file to check it, it looks empty or normal at the top. You have to scroll all the way down to find the virus.

Malicious rewrite rules hidden after 500 lines of whitespace in WordPress .htaccess file

Read more: The Ultimate Guide to Removing .htaccess Malware

The Step-by-Step “Deep Clean” Strategy

If you are tired of the reinfection loop, stop doing “quick scans.” You need a surgical removal process. Here is the checklist I use for my clients.

Step 1: Manual File Inspection

Don’t just rely on plugins. Log into your hosting via FTP or File Manager.

  1. Go to wp-content/plugins. Open every folder. Do you recognize all of them? If you see wp-security-patch or wp-z-compat, delete them.
  2. Go to wp-content/uploads. Look for any PHP files hiding in your year/month folders. Uploads should never contain PHP files.

Identifying rogue PHP files hiding inside WordPress wp-content uploads folder

Read more: Hidden Backdoors & Fake Plugins: How Hackers Live in Dashboard

Step 2: Clean the Database

Malware strings often hide in the wp_options table (especially the siteurl or home rows if you have redirects).

  1. Open phpMyAdmin.
  2. Search for <script> or eval( or base64.
  3. Check specifically for executable files that shouldn’t be there.

SQL query search for malicious base64 and eval code strings in WordPress database

Read more: Removing Hidden Executable Files (Case Study)

Step 3: Check Core Files (functions.php & wp-config.php)

The functions.php file in your active theme is the #1 spot for “Ghost Admin” code. Open it and look for strange code at the very top or very bottom.

Also, check wp-config.php. Hackers sometimes modify this file to point to a different database or include a malicious file before WordPress even loads.

Read more: Found Suspicious Code in functions.php? The Ghost Admin Hack

Step 4: The “Nuclear” Option (Fresh Core Install)

If you can’t find the file, replace the system.

  1. Download a fresh ZIP from WordPress.org.
  2. Delete wp-admin and wp-includes from your server.
  3. Upload the fresh copies.

Note: Do not delete wp-content or wp-config.php.

Post-Cleanup: How to Lock the Door

Cleaning the malware is only 50% of the job. You must close the holes they used to get in.

1. Change Your Salts

WordPress uses “Salts” to encrypt login cookies. If a hacker has a valid cookie, they can stay logged in even if you change your password. You must update your Security Keys in wp-config.php to force-logout everyone (including the hacker).

2. Update Everything

A vulnerable plugin is an open window. If you are running an old version of Elementor or a shady “nulled” theme, you will be hacked again in 24 hours.

3. Setup Backups (Off-Site)

If this happens again, you need a clean version to revert to. Do not store backups on the same server! Use a tool like UpdraftPlus to send backups to Google Drive or Dropbox.

Read more: How to Back Up Your WordPress Site with UpdraftPlus (2025 Guide)

4. Checklist Review

I have compiled a complete 60-point checklist of signs that your site is still infected. Go through this list one by one.

Read more: 60 Clear Signs Your WordPress Site is Hacked

Read more: What to Do After Fixing a Hacked Site (Real Cleanup Checklist)

FAQ: Questions My Clients Always Ask

Q: Why does malware come back every day at the same time?

A: This is almost certainly a Cron Job or a scheduled external script hitting your site. The malware isn’t “living” on your site; it is being “re-delivered” by a script. Check your Cron events immediately.

Q: Can a “Factory Reset” (Don’t do that) remove malware?

A: Yes and no. If you reset the files but keep the database, the infection (which often lives in the database) will survive. You must clean both files and the database.

Q: Why didn’t Wordfence/Sucuri detect it?

A: Scanners look for “Signatures” (fingerprints). If the hacker wrote a brand new, custom piece of code (like the Fake Security Team Malware), it has no fingerprint yet. Scanners are helpful, but they are not human.

Q: Is it safe to use “Nulled” plugins?

A: Never. 99% of “free pro plugins” contain pre-installed backdoors. This is the #1 cause of reinfection.

Still Can’t Stop the Reinfection?

If you have followed this guide, checked the cron jobs, replaced the core files, and the malware still comes back, you likely have a “root level” infection or a complex database injection.

Some malware is designed to be impossible to remove without reading the raw code logs. If you are losing money every minute your site is down, you might need a specialist to dig deeper than a plugin can.

Read my case study: I Found a Hidden Backdoor in a Client’s Site (Real Story)

Don’t let hackers win. Be thorough, be paranoid, and check every single file

Top comments (0)