Malicious files being added to my server

I keep getting files added to my sites that have random names like oy56a560.php that slowly creep into my sites and get put in various folders until one day siteground shuts it down saying too much email has been sent from the site and I have to clean it up. I use defender to scan and remove the files but I'd like to know how they get on my server list to begin with.