Website Reinfection

Why Website Hacks Keep Coming Back (And How to Stop Reinfections)

You paid to remove the malware. Weeks later, it's back. Here's why reinfections really happen, what typical cleanups overlook, and how to break the cycle for good.

Share

There are few things more demoralising than paying to have your website cleaned, breathing a sigh of relief, and then watching the same infection reappear a week or two later. You did everything you were told. You changed the passwords. You reinstalled the platform. Maybe you even paid a second specialist. And still, the malware came back.

If that sounds familiar, the first thing worth saying is this: it is not your fault, and you are not doing anything wrong. Repeated hacks are one of the most common and least understood problems in website security. They happen to experienced developers and non-technical business owners alike. The reason is almost always the same, and once you understand it, the whole frustrating cycle finally starts to make sense.

Website hackedMalware removedEntry pointstill openReinfected…and the cycle repeats
Cleanup removes the malware, but not the way in. Until the entry point is closed, the cycle repeats.

Why reinfections really happen

When most people think about a website hack, they picture a single event: someone broke in, dropped some malicious files, and those files need to be deleted. Clean the files, problem solved. It is an understandable mental model, and it is exactly the reason reinfections are so common.

A hack is not one thing. It is really two separate things that happen to occur together. The first is the entry point — the specific weakness that let an attacker in. The second is the payload — the visible malware, spam pages, or redirects they left behind. Cleaning a website removes the payload. But if the entry point is still open, the attacker (or, more often, an automated script that never stopped scanning your site) simply comes back and drops a fresh payload.

Think of it like a house with a broken lock. You can sweep up after every break-in, replace what was taken, and repaint the walls, but until you fix the lock, the burglar keeps walking back in through the same door. The mess you keep cleaning up is not the problem. The unlocked door is.

This is why a reinfection is not evidence that the cleanup failed. In most cases the cleanup did exactly what it promised — it removed the malware that was there at the time. It simply did not answer the more important question: how did the attacker get in, and is that door still open?

The most common causes of a returning hack

Reinfections almost always trace back to one of a handful of causes. You will rarely see just one of these in isolation — real incidents tend to involve two or three at once — but each of them, on its own, is enough to bring an infection straight back.

1. A hidden backdoor was left behind

A backdoor is a small piece of code an attacker plants specifically so they can get back in later, even after you have cleaned everything else. Backdoors are designed to be overlooked. They can be disguised to look like legitimate files, tucked inside folders you would never think to check, or split across several innocent-looking files so that no single one looks suspicious. If even one backdoor survives a cleanup, the site is effectively still open — and it will be reinfected as soon as the attacker or their automated tools check back.

2. The original vulnerability was never patched

Many hacks begin with a known weakness in an outdated plugin, theme, or platform version. Cleaning the malware does nothing to fix that weakness. If the vulnerable component is still installed and still out of date, it can be exploited again the same way it was the first time. Automated attacks scan the entire web constantly looking for exactly these known weaknesses, so a vulnerable site is often re-targeted quickly.

3. Leaked or reused credentials

Sometimes the attacker did not exploit any clever vulnerability at all — they simply logged in. Passwords get leaked in unrelated data breaches, stored in plain text on an infected computer, captured by malware on a staff member’s device, or reused across multiple accounts. If a valid password is still working after a cleanup, no amount of file scanning will keep the site secure. The attacker has a key.

4. The infection spread beyond the website

On shared hosting, several websites often live inside the same account or on the same server. An infection in one can spread to the others, and a neighbouring site can quietly reinfect the one you just cleaned. In these situations, cleaning a single site in isolation is like mopping one corner of a flooded room.

5. The problem lives at the server level

Not every infection lives inside the website’s own files. Malicious scheduled tasks, compromised configuration files, injected content buried in the database, and overly loose file permissions can all sit outside the pages you would think to check, and re-deploy malware on a timer. A cleanup focused only on the visible website files will never see them, which is why the infection appears to “come back on its own”.

6. Forgotten installations, old copies, and backups

Reinfections often hide in the parts of a site nobody thinks about any more: a second, outdated copy of the platform in a subfolder, an old staging or development version, an abandoned subdomain, or an exposed backup file sitting in the same account. If any of these is compromised, it can quietly reinfect the main site you just cleaned. And restoring from an old backup, on its own, does not fix this — it brings the site back exactly as it was, including the very vulnerability that let the attacker in.

The real business impact of repeated hacks

It is tempting to think of a returning hack as a purely technical annoyance. In reality, the damage compounds every time it happens, and much of it has nothing to do with the malware itself.

  • Lost traffic and revenue. Each reinfection can knock the site offline, trigger browser warnings, or get it suspended by the host — and every hour of that is lost visitors, lost sales, and lost enquiries.
  • Eroding search reputation. Search engines notice when a site is repeatedly compromised. Spam pages get indexed, security warnings appear next to your listing, and the trust you spent years building can unravel far faster than it was earned.
  • Damaged customer confidence. A visitor who sees a “this site may be hacked” label, or lands on spam instead of your homepage, may never come back — and may tell others.
  • Mounting costs. Paying for cleanup after cleanup adds up quickly, and the indirect cost of lost business usually dwarfs the invoices.
  • Sheer stress and lost time. Perhaps the most underrated cost of all is the toll it takes on you: the constant checking, the dread of the next email from your host, the feeling that you can never quite trust your own website again.

This is the part that most technical guides skip. Behind every reinfected website is a business owner who is frustrated, worried, and often out of pocket. Recognising that the problem is a business problem — not just a file to delete — is the first step toward actually solving it.

Why traditional cleanup so often fails

If cleaning a website were enough, reinfections would be rare. The reason they are so common is that the standard approach is built around removing malware, not around understanding the incident. Here is what typically gets missed.

It stops at the visible files. Automated scanners are good at flagging known malicious code, but they are not designed to reconstruct how an attacker got in, or to find cleverly disguised backdoors that do not match known signatures. Anything the scanner cannot see survives.

It treats the website in isolation. A cleanup focused solely on the site will not examine the wider hosting environment, neighbouring sites, or server-level footholds — all of which can bring the infection straight back.

It assumes a reinstall equals a clean slate. Reinstalling the platform replaces core files, but leaves the database, uploads, custom themes, plugins, and server configuration untouched. Modern infections deliberately hide in exactly those places.

It never closes the door. Above all, a typical cleanup answers “what malware is on the site?” when the question that actually matters is “how did it get here, and how do we make sure it cannot happen again?” Without that, every cleanup is temporary by design.

Google’s own guidance for site owners recovering from a compromise makes the same point: cleaning up is only part of the process, and identifying and fixing the vulnerability is essential to prevent it from happening again — as its #NoHacked guidance on fixing common hack cases spells out.

Signs you need professional recovery, not another cleanup

Some infections genuinely are one-off events that a careful cleanup resolves for good. Others are part of a cycle that will keep repeating until someone treats it properly. These are the signals that you are dealing with the second kind:

  • The site has been hacked, cleaned, and reinfected more than once.
  • The malware reappears within days or weeks of every cleanup.
  • You have already reinstalled the platform, and it made no lasting difference.
  • Spam pages or foreign-language content keep showing up in your search results.
  • Your host keeps flagging or suspending the account despite repeated cleanups.
  • Nobody has been able to tell you how the attackers are getting in.

That last point is the most important. If no one can explain the entry point, then no one has actually closed it — and the reinfections will continue no matter how many times the files are cleaned. At that stage, what you need is not another round of deletion, but a proper recovery that starts from the root cause.

How complete recovery breaks the cycle

Genuine recovery is different from cleanup in one fundamental way: it is organised around the cause of the incident rather than its symptoms. Without getting into the technical specifics — which vary from case to case — the philosophy behind it looks like this.

Understand before acting. The first goal is to understand the whole picture: not just what malware is present, but how it arrived, how far it spread, and what allowed it to persist. That means looking beyond the website to the environment around it.

Close the entry point. Whatever let the attacker in — an outdated component, a leaked credential, a server weakness — has to be found and closed. This is the single step that most separates a lasting recovery from a temporary cleanup.

Remove every foothold, not just the obvious one. Backdoors are found and removed, credentials that could have been exposed are rotated, and any part of the environment the attacker could have touched is treated as suspect until proven clean.

Harden what remains. Once the site is clean and the door is closed, the environment is strengthened so the same class of attack is much harder to repeat — reducing the chance of a future incident, not just this one.

Verify and watch. Finally, the site is monitored over the following weeks. Because the real test of a recovery is not whether the site looks clean today, but whether it stays clean once the attacker checks back and finds their way in has been sealed.

Notice that removing the visible malware is only one small part of this. The reason this approach works where repeated cleanups fail is that it fixes the thing that was actually causing the reinfections in the first place.

What to ask before you pay for another cleanup

If you are about to hire someone — or want to challenge whoever cleaned the site last time — a few direct questions will quickly tell you whether you are buying a genuine recovery or another temporary patch. You do not need to be technical to ask any of them.

  • “How did the attacker get in?” A specific answer means they found the entry point. A vague one means they did not.
  • “What have you changed so that route can’t be used again?” Removing malware is not the same as closing the door behind it.
  • “Did you look for hidden backdoors, not just visible malware?” Backdoors are the usual reason a “clean” site is reinfected.
  • “Did you check beyond the website — the hosting account, other sites on it, old copies and backups?”
  • “Will you monitor the site afterwards to confirm it stays clean?”
  • “What happens if it gets reinfected shortly after you finish?”

The answers to these questions tell you far more about whether the problem will actually be solved than how quickly the visible malware disappears.

How to prevent the next reinfection

Whether you handle recovery yourself or bring in help, a handful of habits dramatically lower the odds of ending up back in the same cycle. None of them are complicated.

  • Keep everything updated. The platform, themes, and plugins should be kept current, and anything you no longer use should be removed entirely — unused plugins are still an attack surface.
  • Use strong, unique passwords everywhere. Never reuse passwords across accounts, and turn on two-factor authentication wherever it is offered. A great many hacks are simply logins with a stolen or guessed password.
  • Limit who has access. Every admin account is a potential entry point. Keep the number of privileged accounts small, remove ones that are no longer needed, and give people only the access they actually require.
  • Keep reliable, off-site backups. Clean backups turn a disaster into an inconvenience — but only if they are stored separately from the site and tested, so you know they will actually restore.
  • Choose hosting that isolates your sites. Good isolation stops one compromised site from taking the rest down with it, and makes reinfection across sites far less likely.
  • Watch for the early signs. The sooner you catch a compromise, the smaller and cheaper the cleanup. Unexpected new files, strange pages in search results, or unusual traffic patterns are all worth investigating quickly.

Prevention will never be perfect — no website is completely immune — but the goal is not perfection. The goal is to make your site a much harder target than the millions of easier ones the automated attacks will always prefer.

A final word

If your website keeps getting hacked, please know that the situation is not hopeless, and it is not a reflection of anything you did wrong. A returning infection is a solvable problem. It just cannot be solved by cleaning the same files over and over — because the files were never really the problem. The open door was.

Break the cycle by shifting the question from “how do we remove this malware?” to “how did this happen, and how do we make sure it cannot happen again?” Answer that second question properly, and the reinfections stop. We have seen it happen many times — often on sites that had been fighting the same hack for months.

Frequently Asked Questions

Common questions about website reinfection

Almost always because the original entry point was never closed. A cleanup that only deletes the malicious files it can see will miss hidden backdoors, a vulnerable plugin, a leaked password, or a weakness at the hosting level. As long as one of those remains, attackers simply walk back in and re-upload their files — often within days.

Not reliably. Reinstalling replaces WordPress core files, but modern infections rarely live only in core. They hide in the database, in the uploads folder, in themes and plugins, in scheduled tasks, or in server-level files that a reinstall never touches. This is exactly why so many sites are reinfected shortly after a "fresh" reinstall.

It varies. Some reinfections happen within hours because an automated script is still watching the site; others take weeks, which makes them feel unrelated to the original hack. A gap of days or weeks is common and is usually a sign that the root cause was never resolved — not that a brand-new, unrelated attack occurred.

Yes. On shared or poorly isolated hosting, an infection can spread across every site in the same account, and sometimes beyond it. This is why cleaning a single website in isolation often is not enough — the whole environment has to be assessed, or a neighbouring site can simply reinfect the one you just cleaned.

Sometimes, and sometimes not — it depends on what the site is doing while infected. A site actively serving malware, redirecting visitors, or sending spam can damage your reputation and get blacklisted the longer it stays up. Part of a proper recovery is deciding, early on, whether the site should stay live, be placed in maintenance mode, or be taken offline briefly.

Confidence comes from addressing the cause, not just the symptoms, and then monitoring. Once the entry point is closed, backdoors are removed, credentials are rotated, and the environment is hardened, the site should stay clean through repeated checks over the following weeks. If it survives that window without new malicious files or spam appearing, the cycle is genuinely broken.

Still fighting to recover your website?

If your website is showing these symptoms — or you’ve already attempted recovery without success — request a professional Website Recovery Assessment from Macrosol Technologies. Our team specializes in complex website recovery, security hardening, and search reputation restoration.

Request a Recovery Assessment Get a Free Assessment

Learn more about our Website Recovery & Security service.