ASK Sucuri: Why does my site keep getting reinfected?

If you have any question about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: Why does my site keep getting hacked / reinfected?

A lot of our new customers only get in contact with us after trying to clean up their sites manually a lot of times without success. A common first question is “I cleaned my site 3 times already and it keeps getting reinfected and blacklisted. What can I do? Can you guys clean it up for good?”

Based on our experience, these are the 4 main causes of reinfections on web sites:

  1. A backdoor is still present in your site. Even though you removed the visible malware, you might still have hidden backdoors in there that the attackers are using to compromise your site. Sometimes even a “clean” backup might still have a backdoor in there. During our clean ups, we always search and remove the hidden backdoors (even when they don’t show up in our scanner).
  2. Stolen FTP/SSH/Admin passwords. This is very common, specially via FTP and compromised desktops. Are you changing your passwords? Is your desktop secure? Even if your desktop is secure, are you using FTP on an insecure wireless (or wired) network? The recommendation is to change all your passwords and scan your desktop for viruses.
  3. Vulnerability in your site. Are you using an outdated CMS? Maybe your WordPress or Joomla or forum is not updated? Make sure to update them asap to avoid reinfections.
  4. Same account infections. If you have other sites in the same FTP account and they are compromised (or infected), the malware can spread back to the site you just fixed. Do you have more sites in the same FTP account? This is specially common on shared servers, but also happens on dedicated servers.

There are also other reasons for reinfections, like when your web hosting company is compromised, causing those “mass infections” we blog about sometimes. But that is outside your power, and there is nothing much you can do about, except switching hosts.

Have a question or a comment? Make sure to ask below :)

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site or on Twitter: @danielcid