Compromised website

Hi,

My website was recently compromised and sent out lots of spam. I did a sweep of the files, changed all passwords and added additional security plugins. However, 2 days later I found new files added to the public.html folder in my cpanel. Does anyone have an idea how this is happening? Thanks!

—–

This is what I did the first time the website was compromised.

– Remove the malicious files added & an unauthorized ftp account
– Scan the website using Sucuri
– Ensured all plugins are updated to the latest versions
– Changed my secret keys
– Changed all passwords(email account, cpanel, wp-admin, ftp accounts)
– Installed WP simple firewall and activated login protection

However, I check back this morning and Sucuri showed me that there were still files added after what I did. The files contained the base64_decode functions and I have removed them.

The wp-admin site itself was completely bypassed so i’m guessing the issue is within the cpanel. We are on a shared hosting and our provider does not provide us with the cpanel access logs.

These are the changes Sucuri show:

Warning April 7, 2015 7:48 pm
system ::1 File modified: (multiple entries):

wp-content/plugins/wp-simple-firewall/icwp-wpsf.php (old size: 6389; new size: 6389)
wp-content/plugins/wp-simple-firewall/plugin-spec.php (old size: 1670; new size: 1670)
wp-content/plugins/wp-simple-firewall/views/snippets/state_summary.php

Warning
system ::1 New file added wp-content/plugins/simple-fullscreen-responsive-slider/languages/include.php (size: 2843)

Warning
system ::1 New file added wp-content/plugins/contact-form-7-modules/languages/defines.php (size: 2855)

Warning
system ::1 New file added wp-content/ngg_styles/.login20.php (size: 118267)