TopSyde
Get your free site auditStart Risk-Free

WordPress Site Keeps Getting Hacked Again? Here's Why

Discover why hacked WordPress sites get reinfected after cleanup, where backdoors hide, and how TopSyde Sentinel found 63 hidden backdoors across 340+ sites.

Colton Joseph

Colton Joseph

Founder & Lead Developer

··13 min read

Last updated: July 18, 2026

Diagram showing the hack-clean-hack reinfection cycle on WordPress sites with backdoor locations

When a WordPress site keeps getting hacked after a cleanup, the cleaner almost always missed a backdoor — a hidden file or code snippet left behind so the attacker can walk right back in. Cleanups fail not because the visible malware wasn't removed, but because the entry point was never found. That's the whole game.

The Agency That Cleaned the Same Sites Over and Over

Imagine spending every Monday morning doing the same thing: logging into client sites, removing malware, apologizing to clients, and sending invoices for work you've already done twice. That was life at Tamer Designs.

The agency managed more than 340 WordPress sites. They were diligent. When a site got hacked, they cleaned it fast. They deleted bad files, reset passwords, and updated plugins. Then they moved on.

A week later — sometimes less — the same sites were hacked again.

Clients were frustrated. The team was exhausted. And every reinfection ate into the money they'd made the first time around. Tamer Designs wasn't doing anything obviously wrong. They were just losing a battle they didn't fully understand yet.

The problem wasn't the malware. It was what the malware left behind.


What Is a Backdoor, and Why Does It Survive a Cleanup?

A backdoor is code that gives an attacker a way back into your site even after you've cleaned it. Think of it like a spare key hidden under the doormat. You can mop the floors and change the locks, but if that key is still there, it doesn't matter.

Most malware cleanups focus on the obvious stuff: infected theme files, spammy redirects, defaced pages. That's the mess the attacker left in plain sight. But before creating that mess, a smart attacker already planted something quieter — a tiny script, a rogue account, a database entry — designed to survive whatever cleanup comes next.

That's why the hack-clean-hack cycle is so common. The cleanup was real, but it was incomplete.


Where Backdoors Actually Hide on WordPress Sites

This is the part most guides skip. Backdoors don't sit in obvious places. They go where cleaners rarely look.

Must-Use Plugins (mu-plugins folder)

WordPress loads files in the wp-content/mu-plugins/ folder automatically, before any other plugin. There's no admin toggle. There's no plugin list entry. A file placed here runs on every page load, silently, forever — unless someone knows to look there.

Attackers love this folder. A backdoor here survives plugin updates, theme switches, and most automated scans.

wp-config.php Includes and Server-Level Files

wp-config.php is the configuration heart of every WordPress site. Attackers sometimes inject a single include or require line that pulls in a malicious external file. The wp-config.php itself looks mostly normal. The damage happens one level away.

Similar tricks happen in .htaccess, php.ini overrides, and server-level configuration files — places that feel outside the "WordPress cleanup" scope and often get skipped entirely.

Rogue Admin Users

This one is simple but effective. An attacker creates a WordPress admin account with an innocuous-sounding username. You clean the malware. You don't audit your user list. The attacker logs back in the next day with their admin credentials and reinfects the site in minutes.

According to WPScan's WordPress Vulnerability Database, compromised credentials are among the top attack vectors year after year. A rogue admin account is often the easiest reinfection path of all.

WordPress Cron Jobs (WP-Cron)

WordPress has a built-in task scheduler called WP-Cron. Legitimate plugins use it for scheduled emails, backups, and updates. Attackers use it to re-download malware on a timer.

A malicious cron job might fire every 24 hours, pull a payload from an external server, and reinstall the backdoor you just removed. By the time you check again, the site is dirty — and it looks like a new infection when it's really the same one running on a schedule.

Database-Injected Backdoors

Not all backdoors live in files. WordPress stores options, post content, and widget data in its database. Attackers inject PHP execution code into database rows — sometimes in wp_options, sometimes inside post content saved as a draft — where file-level scans never look.

These database backdoors can call external URLs, execute arbitrary PHP, or create new admin users on command.


Why Manual Cleanups Miss Most of This

Manual cleanups are done by humans with limited time. A freelancer or agency tech spending an hour on a cleanup is going to focus on what they can see: obvious infected files flagged by a basic scanner, suspicious redirects, files with recent modified dates.

That's not their fault. It's just the math. A thorough manual audit of a single site — checking mu-plugins, auditing every user, reviewing all cron jobs, scanning the database, tracing every include chain — takes hours. At scale, across hundreds of sites, it's not realistic.

Attackers know this. The backdoors they hide are specifically designed to survive the kind of cleanup a busy person can afford to do.

Backdoor LocationFound by Basic Scanner?Found by Manual Cleanup?Found by AI Scanning?
mu-plugins folderRarelySometimesYes
wp-config includesRarelySometimesYes
Rogue admin usersNoSometimesYes
WP-Cron malicious jobsNoRarelyYes
Database-injected codeNoRarelyYes
Obfuscated file backdoorsSometimesSometimesYes

How TopSyde Sentinel Broke the Cycle for Tamer Designs

When Tamer Designs brought their 340+ sites to TopSyde, the reinfection problem was the first thing on the table. The team had done everything right by conventional standards — they just needed tools that could see what human cleaners couldn't.

TopSyde Sentinel runs daily automated scans across every site it manages. It doesn't just match known malware signatures. It uses AI-driven behavioral analysis to flag code that acts like a backdoor — even if it's never been seen before, even if it's been obfuscated with base64 encoding or variable function names designed to fool simpler scanners.

When Sentinel ran its first full sweep across the Tamer Designs fleet, the results were startling: 63 hidden backdoors spread across the 340+ sites, all of which had already been "cleaned" at least once.

Sixty-three. On sites that had been manually cleaned. On sites where the visible malware was long gone.

Those backdoors were sitting in mu-plugins directories, buried in database rows, disguised as legitimate-looking helper files with innocent names like functions-helper.php or cache-loader.php. Some were executing on a cron schedule. A few were tied to rogue admin accounts nobody had caught.

Sentinel catalogued every one of them, flagged their exact locations, and removed them cleanly — with reversible snapshots taken before any changes, so nothing legitimate was at risk. After that cleanup, the reinfection cycle stopped. You can read the full story in the Tamer Designs case study.


Why AI-Driven Scanning Catches What Humans Miss

The short answer: volume and pattern recognition.

A human scanner checks files against a list of known bad signatures. If the attacker slightly modifies the backdoor — changes a variable name, adds a comment, encodes the payload — the signature no longer matches. The file looks clean.

AI-driven scanning works differently. Instead of asking "does this match a known bad file?" it asks "does this code behave like a backdoor?" It looks at what the code does: Does it accept remote input? Does it execute arbitrary strings? Does it write new files? Does it create admin users? Does it call external URLs?

That behavioral lens catches polymorphic malware — malware that changes its appearance while keeping the same function — which is exactly what modern automated attack kits produce. According to Sucuri's 2023 Website Threat Research Report, PHP-based backdoors were found in the majority of hacked WordPress sites they remediated, and obfuscation was used in a significant portion of cases to evade detection.

The AI-powered monitoring that TopSyde runs isn't just looking for yesterday's threats. It's looking for anything that shouldn't be there, even things no one has named yet.


The Checklist: What a Real Cleanup Looks Like

If your site keeps getting hacked, here's the framework to apply — either yourself, or to verify your cleanup partner is actually doing it.

1. Audit every user account Log into WordPress → Users → All Users. Delete or investigate any account you don't recognize. Then check your database's wp_users table directly — some backdoors create hidden users that don't appear in the admin panel.

2. Check the mu-plugins folder Via FTP or your host's file manager, open wp-content/mu-plugins/. Any file here runs automatically. If you don't recognize it or didn't put it there, treat it as suspect.

3. Read your wp-config.php Look for any include, require, eval, or base64_decode calls that you didn't write. Any external URL being referenced here is a red flag.

4. Audit WP-Cron scheduled jobs Use a plugin like WP Crontrol or query wp_options for cron to see every scheduled job. Remove anything you don't recognize.

5. Scan the database Search wp_options and post content for eval(, base64_decode(, system(, and external URLs. These strings appearing in the database — outside of legitimate plugin data — almost always signal an injection.

6. Check .htaccess and server config files Open your root .htaccess. Look for redirect rules you didn't write, especially ones that redirect certain user agents to external sites.

7. Replace core files from a clean copy Download a fresh copy of WordPress and replace wp-admin/ and wp-includes/ entirely. Attackers sometimes modify core files — these folders should be identical to the official release.

8. Change all credentials after cleanup Every WordPress password, every FTP password, every database password, every API key stored in wp-config — change them all after the cleanup, not before. Changing them before doesn't help if backdoors survive to harvest the new ones.

9. Enable ongoing automated scanning A one-time cleanup is not a security posture. Automated daily scanning is the only reliable way to catch reinfection before it causes damage.

If that list feels like a lot for one site, imagine doing it across 100+ sites every time there's an incident. That's exactly why Fresh Ground Thinking moved to managed hosting — they were losing 60+ hours a month on WordPress maintenance before TopSyde took it over. The WordPress malware removal guide covers the technical recovery steps in more depth if you're working through a current infection.


What This Means for Agencies

If you manage multiple client sites, the reinfection problem scales fast. One poorly cleaned site is an embarrassment. Thirty sites in a re-infection cycle is an existential threat to client relationships and your reputation.

The math is also brutal. Every reinfection cleanup costs time — time you're probably not billing for, or billing at a discount because it's "the same hack." If you cleaned a site once, the client expects it to stay clean. When it doesn't, you absorb the cost.

The solution isn't to get better at manual cleanup. It's to stop relying on manual cleanup as your primary defense. Daily automated scanning, behavioral AI analysis, and fleet-wide visibility are what break the cycle — not more hours from your team.

TopSyde's managed hosting for agencies includes Sentinel scanning across every site in your fleet, starting at $89/mo per site. The TopSyde spec sheet covers everything that's included. Agencies managing 10+ sites should look at the enterprise options for fleet-level pricing.

For a deeper look at what AI malware scanning actually catches — and how Sentinel's detection approach works — the AI-driven WordPress malware post covers the full technical picture.


Frequently Asked Questions

Why does my WordPress site keep getting hacked after I clean it?

Your site is almost certainly being reinfected through a backdoor that survived the cleanup. Backdoors are hidden files, database entries, or rogue admin accounts that give attackers a persistent way back in. A cleanup that removes visible malware but misses the backdoor leaves the door open. The site will be reinfected — often within days or even hours.

Where do WordPress backdoors hide that normal scanners miss?

The most common hiding spots are the mu-plugins folder (which loads automatically and is rarely scanned), wp-config.php include statements, WordPress cron jobs set to reinstall malware on a schedule, rogue administrator accounts, and PHP execution code injected into the WordPress database. Signature-based scanners miss obfuscated versions of these because the code looks different even when it functions the same way.

How does AI-driven scanning find backdoors that manual cleanups miss?

AI-driven scanning like TopSyde Sentinel uses behavioral analysis rather than signature matching. Instead of asking "does this file match a known threat?", it asks "does this code behave like a backdoor?" — looking for patterns like remote code execution, external URL calls, and unauthorized user creation. This catches obfuscated and modified backdoors that no signature database has ever catalogued.

How long does it take for a backdoor to reinfect a site after cleanup?

It depends on how the backdoor is configured. Some attackers return manually within a day or two. Others set automated scripts or WP-Cron jobs that reinstall malware within hours of a cleanup. In the Tamer Designs case, some sites were reinfected within days of being manually cleaned — repeatedly — until Sentinel found and removed all 63 hidden backdoors across the fleet.

Can I prevent reinfection without switching hosts?

You can reduce risk with a rigorous manual audit checklist, but ongoing automated scanning is the only reliable prevention. Daily AI-driven scanning catches new infections and re-introduced backdoors before they cause visible damage. Without that layer, you're dependent on finding the problem yourself — usually after a client or Google already has.

Colton Joseph
Colton Joseph

Founder & Lead Developer

20+ years full-stack development, WordPress, AI tools & agents

Colton is the founder of TopSyde with 20+ years of full-stack development experience spanning WordPress, cloud infrastructure, and AI-powered tooling. He specializes in performance optimization, server architecture, and building AI agents for automated site management.

Related Articles

View all →

TopSyde Sentinel

Hacked — or worried you're next?

Malware cleanup is free when you switch to TopSyde. After that it's simply handled — Sentinel scans daily and removes anything it finds automatically. No cleanup bills, no security consultant, ever. All included in flat $89/mo hosting.

Flat $89/mo per site · Free migration · 30-day money-back guarantee