What I have found is the hacker edits the index.php file.
Here’s how I have dealt with this issue:
1. Change the index.php file permissions to 444
2. Create a copy of the good index.php file, then move to a safe/hidden location.
3. Create a cron job that copies and replaces the main index.php file with the good (hidden) index.php file. Set the cron job to run every 5 minutes.
4. The cron job WILL NOT write over a file with permissions set at 444, but if the file permissions have been changed it will over write the changed file.
This is an automatic check and fix for the index.php file, when you have seen questionable occurrences.
