You speak dismissively about Wordfence – a mere “free plugin” that still renders its website an “easy target.” In this Bluehost article, https://www.bluehost.com/blog/wordfence-increases-security-on-your-wordpress-site/, Bluehost calls Wordfence a “robust website application firewall and malware scanner” and rates the plugin “highly.”
You say “if” I keep restoring the site without putting “preventative measures” in place as if Wordfence weren’t a preventative measure, as if we weren’t changing passwords, as if we weren’t immediately updating the core and all plugins/themes upon restoration, and as if we weren’t running a deep Wordfence scan after all this is done to certify that the site is clean, all of which we are doing.
Furthermore, if it’s Bluehost’s official position that no WordPress site is “properly” secured unless the client purchases SiteLock, then why doesn’t Bluehost just mandate SiteLock for all its sites? There is a reason why some surgeries aren’t covered by insurance companies – they aren’t necessary. If SiteLock were as critical as you’re making it sound (i.e. any WordPress site that doesn’t have it isn’t “properly” secured!), it would be incorporated into the Bluehost hosting plan as a non-negotiable feature.
I had another WordPress site that was once infiltrated. Bluehost notified me that a virus was detected on the site. The SiteLock people gave me an aggressive sales pitch that made me feel like anyone who has WordPress without SiteLock is an irresponsible fool, and Bluehost was going to mandate SiteLock if I didn’t eliminate the virus myself (or shut down my website). I declined the service, restored the site myself from my own backup, and it eliminated the virus. The site was never infected again – that’s when I first installed Wordfence. It wasn’t a headache. It was just 2 commands in FileZilla and I was done. WAY easier, simpler and cheaper than dealing with the high-pressure SiteLock sales pitch.
If my site is infected repeatedly after restoring, updating and scanning (with a perfect score from a Wordfence scan), one can’t help looking at Bluehost itself, wondering if the virus is coming from the server. You are ASSUMING this can’t possibly be the explanation (or at least, you are ignoring that possibility in your reply) and talking like the only possible cause here is the WordPress site itself.