Hacked sites on server

This question applies to several sites on this server, all using Defender.

I have a malware (I believe) hack that is seen by Defender, but it can't seem to stop.

The primary issue is the index.php file. When Defender restores the original, the malware turns right around and immediately puts the hacked version back into place. Then it goes back to work adding and manipulating files.

I have tried manually replacing the file as well, same thing happens.

I can't pinpoint the source of the malware, so I can't stop this.

The host (InMotion) has been unhelpful They started a scan for malware two weeks ago, and it just keeps running or stops and they have to start it over again. So, no help.

I have never seen this before so I was wondering if you have any ideas on how I can pinpoint the cause so I can eliminate the cuplrit?


  • Nithin
    • Support Wizard

    Hi Rick Weiss,

    Sorry to hear about the issue, if you are sure that there are more malicious code running in your system, then to start with it would be better to run more than one security scan. Would also recommend you to use WordFence, and see whether the file scan would help in pin pointing more files, or source of the issue.


    I’m afraid, there isn’t any specific steps that I could pin point, using security scan plugin would be an headstart to find out the source of the issue. Other than that, it’ll require going through each file manually. Since the support access to your site wasn’t enabled, I wasn’t able to check the files Defender is reporting, and what changes happens once reverted.

    If you could share your sites login credentials, I could give a look, and see whether I could find anything specific causing this.

    You can send credentials by using our secure contact form: https://premium.wpmudev.org/contact/#i-have-a-different-question

    – To Mark to my attention, the subject line should contain only: ATTN: Nithin Ramdas

    -WordPress admin username

    -WordPress admin password

    -login url

    -FTP credentials (host/username/password)

    -link back to this thread for reference

    -any other relevant urls

    However, please do note that we don’t provide clean up services to remove malware, what we could do is check the site, and the behaviour happening with index.php file, and if possible, provide steps in resolving the issue.

    Kind Regards,


  • Rick Weiss
    • New Recruit

    I’m closing this ticket. The entire server is so full of this malware hack that I am moving everyone away from it. Just haven’t been able to pinpoint the source in order to stop the instant return of the infected files.

    Thanks for the efforts made by David and others to try and resolve this.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.