..changing site/cpanel/ftp password regularly, but still we get infected.
maybe local system is infected also?
Christian brings up a good point, if anyone’s local machine (or insecure local network) has a packet sniffer or keylogger installed unknowingly, it wouldn’t matter how may security measures are used server side.
It’s also very easy for a hacker to install a hidden backdoor once they gain initial access. Then no matter what security or passwords are later implemented, they can easily come in through their backdoor. Finding such backdoors is extremely difficult. To reliably eliminate backdoors, you need to completely wipe everything on the server and reinstall from a known clean backup. “Known clean” can be difficult to determine. A wily hacker could initially install a backdoor and postpone doing anything noticeable for several weeks.
When you restore from a backup that’s prior to the observed hacking incident, the backdoor is still in place. You then need to wipe and restore from an even earlier backup, losing all data created after the backup was made.
Other ways hackers gain access is through security flaws in themes or plugins that have not been updated. Always run the most recent versions of plugins and themes (and WP itself). Avoid plugins and themes that are not actively maintained.
Also look at other apps on your server, especially old staging sites that might be lingering. Get rid of these, they can still be used to gain access if they are on the public portion of your server, even if not part of the active site.
Work through the steps in FAQ My site was hacked to help ensure you addressed all possible weaknesses. Once your site is totally clean, consider implementing some of the measures in Hardening WordPress.
