HELP…I'm getting hacked/virus almost every 3 days…

I’m guessing you are on some type of shared server. Have you talked to the host to see if they can help you? Have you changed all passwords?

my host is downtownhost, but i have changed all my passwords to a randomly generated one i keep in a unnamed notepad document hidden on my PC, i know that not the smartest but i doubt they are getting in that way. my host fixes it almost everytime but doesn’t seem to know how to prevent it. last time they reinstalled all my plugins from scratch and a fresh wordpress and it lasted 2 weeks, longer then normal. I feel like it has to be a ‘fence around the rabbit’ type of problem but with a fresh install i don’t see how

Wht is your site? I see this as two possibilities; one, the server itself is corrupted and DowntownHost has to find the issue and remove it (and you may want to backup or move your site), two, when the site was originally corrupted some code was changed in the theme php files allowing certain things to happen even after you “cleaned” the site by resetting plugins or otherwise. Looking into your code a little, even just a view source in the web browser may show you if it is #2.

my site is https://www.wearebaked.com, and i forgot to mention i cleaned out my themes also. i’m removing as many plugins as i can now and goging to run ‘web shell detector’ to see in i get any results

The more I put together, the more I lean towards it being an issue on your server. I would be in touch with Downtown Host about getting to the bottom of it or possibly switching hosts.

well a major issue i have is that my website is about marijuana so it’s hard finding a host, alot will drop you after you set up and ‘settle in’. any suggestions on programs of anything i can run to clean the servers. also could they be access me through leaks on one of the other sites they host?

If somebody has gained access to the server directly or through another site, only the hosting provider can resolve this. If you are concerned about your site content being an issue for other hosting providers, just be forward with them about what your site is before you open a hosting account. They should tell you if they have a policy that does not allow certain content.

Yeah just to back up with what Ari is saying it does sound like a server issue. With dealing with plenty of hacked sites, the virus sounds like it has to be on your server. You have to talk to the host as you do not have access to the server as you are on a shared server not owned by you.

Hi @ffooteli

You probably don’t want to hear this, but this is very common.

Two of the more common contributing factors:

1 – You have a backdoor you haven’t cleared yet. The infection you cleared, doesn’t mean you cleared the backdoor.

I’d recommend blowing away the core install, and pushing a fresh copy.

I don’t know much about your environment, but if you have more than one site on that server, all within your account, you could be suffering form cross-site contamination. Regardless, the attacker most likely has a backdoor on your server allowing them to bypass your access control mechanisms.

Understand however that this doesn’t mean it’s a server level issue, it could be an issue in your account.

2 – When you say you changed the passwords, did you include all of them to include SSH / SFTP / FTP / CPANEL, etc..?

The more common mistake we see is a user clears the WP-ADMIn but forgets everything else.

Also, did you clear your salts / keys? If you change your password, but leave your old salts and keys, anyone that is still logged in won’t get booted.

Food for thought…

well i have changed all my password you mentioned and am going through all my files now to look for backdoors are there any easy way to find these? as you know there are a lot of files

Try some of these tips: https://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html

Understand though that looking for backdoors is not a simple thing to do, the best recommendation I often give folks is reinstall core and all the themes and plugins and disable PHP execution in /Uploads

If you’re not a developer, without engaging professionals to help, that’s going to be one of the best solutions..

Tony