Should I switch hosting providers to solve my hacking problem?

You have obviously been hacked. Take a look at this article: https://www.ads-software.com/documentation/article/faq-my-site-was-hacked/

I would recommend running a scan with a security plugin. You can find examples of this here: https://www.ads-software.com/plugins/tags/security/

If the scan shows a command, consider whether you have a clean backup that you could use to restore. If so, delete everything and use the backup.

Alternatively, you can also try to clean the project of the malware. However, this could be a lengthy process that does not necessarily end well.

Finally, I would also recommend this article: https://developer.www.ads-software.com/advanced-administration/security/hardening/

Thank you. I’ve now done all that about a dozen times. My question, though, is why it’s happening and if switching hosting vendors would be a good idea.

As mentioned in the articles above, you should first secure your own WordPress installation. This is not only about regularly installing pending updates, but also about protecting the project from potentially dangerous requests. With security plugins, you would already be on the right track. Do you have one in use, if so which one and what does it say about the matter?

Just because your project appears to have been hacked doesn’t necessarily mean it’s the hoster’s fault. The host is actually only providing you with resources. You are responsible for the access they provide you with. In my opinion, a change would therefore be of little use if you are somewhere else with your already (presumably) hacked project.

What do these ‘malicious files’ look like and where do you see them?

Thanks, yes, I do maintenance almost every day. I use ManageWP and it scans all my sites and tells me what themes/plugins needs updating. So, I am always up to date. I also use Wordfence.

Other than change passwords, what can I do? When I get these attacks my hosting guys shut down FTP access and even with it off, I am getting malicious files. How can files be uploaded without FTP?

Here is an email I got this morning showing you what the malicious files are.

This email was sent from your website "Bob Hatcher's Weather Website" by the Wordfence plugin.

Wordfence found the following new issues on "Bob Hatcher's Weather Website" (1 existing issue was also found again).

Alert generated at Saturday 24th of August 2024 at 01:17:13 AM

See the details of these scan results on your site at: https://bobhatcherweather.com/wp-admin/admin.php?page=WordfenceScan

High Severity Problems:

* Unknown file in WordPress core: wp-admin/user/admin-ajax.php

* Unknown file in WordPress core: wp-includes/ID3/alpsigfc.php

* Unknown file in WordPress core: wp-includes/SimplePie/XML/tpmlxwyq.php

* Unknown file in WordPress core: wp-includes/blocks/nextpage/admin-ajax.php

* Unknown file in WordPress core: wp-includes/js/tinymce/utils/xbkfylem.php

* Unknown file in WordPress core: wp-includes/rest-api/brnttden.php

* Unknown file in WordPress core: wp-includes/sodium_compat/namespaced/sefcxrhu.php

* Unknown file in WordPress core: wp-admin/css/colors/ocean/php.ini (+ 251 more)

Yes, these are definitely files that a hacker has stored in the project.

As already mentioned above, you would have to analyse your project completely in this respect. If WordPress itself is affected, you can no longer really trust the results from Wordfence. I would again recommend using a clean backup (which would probably be a bit old now) or setting up the project from scratch. I don’t see the hoster as a reason.

If you are still unsure about this, find someone who can look at it with you personally. You can find someone like that here, for example: https://jobs.wordpress.net/

Thanks, I have put the “find a new hoster” on hold for a while. It doesn’t make sense to transfer and infected site – or seven of them.

But please help me understand how these files got there. Am I right that there are only two ways, via FTP and via an infected plugin? On the latter, I’ve deleted then reinstalled all plugins thinking this might help. On the former, these files are showing up while the hoster has blocked all FTP on my account. I’m really confused.

Yes, there are these two ways. You can rule out FTP, although you could normally check it via an FTP log at the hoster.

Replacing a supposedly infective plugin is often not the solution either. You have to make sure that the new version of the plugin has closed the gap that is supposedly there. If not, it will be exploited again and again. And even if it is closed, there could still be remnants in the database that could be executed by other actions. In addition, it could be several plugins that are to blame – or a combination of different plugins. Many of these hackers also install their own plugins that make it even easier for them to get into your project. Some can also be installed as MU plugins (since a hacker can change all directories and files once they have access), so that you only see them in the obligatory list in the backend, but cannot deactivate or remove them.

Once a project has been compromised, you can never be sure that it will really be completely cleaned up. Some people spend weeks on it. I’m not sure whether an exchange in the forum here will help you in any way if you keep asking small portions. Hence my advice above to use a clean backup.