WordPress problem fix
One infected site on shared hosting can reinfect every other site in the same account. We clean the whole account in one pass.
If multiple WordPress sites in the same hosting account are getting reinfected after each cleanup, the malware is cross site. Shared hosting puts every site under one filesystem, so a backdoor in one site can write to the files of every other site in the account. Cleaning one site is wasted effort. The fix is to clean every site in the account at the same time, often using WP-CLI in bulk, rotate every credential, and either harden file permissions across the account or move clean sites to isolated hosting.
If any of these match, you are on the right page.
Site cleaned today is reinfected tomorrow
Multiple WordPress sites in the same cPanel or hPanel hit by malware
Host suspended the account, not just one site
New PHP files appear in random directories after every cleanup
On shared hosting, all sites in an account share one filesystem and one PHP user. A backdoor in one site can read and write to every other site, so cleaning one without cleaning all leaves an open vector.
No. The backdoor is already inside multiple sites. Until every site in the account is cleaned in the same window, the surviving infection rewrites the cleaned ones.
Shared hosts isolate accounts from each other but not sites within an account. That is a hosting class limitation, not a host failure. Real isolation needs separate accounts or VPS.
The real method, in the order it works.
Take a full snapshot of every site and the database for forensic evidence.
Take every site offline at the same time during cleanup.
Use WP-CLI in bulk to wipe plugins, themes, and core, then reinstall fresh from wordpress.org.
Search and remove backdoor files outside core (uploads, mu-plugins, random folders).
Rotate every database password, FTP credential, and WordPress salt.
Bring sites back together, monitor for reinfection for 14 days.
Real fix, from our work
A client had 40 WordPress sites on one shared account. After each one off cleanup, the malware was back inside 48 hours. I scripted the cleanup with WP-CLI and bash: shut every site at once, wipe plugins and themes across all 40, pull fresh copies from wordpress.org, search every wp-content folder for new php files, rotate every secret, then bring them back. Nothing came back. The lesson: shared hosting reinfections need a fleet level cleanup, not a per site one.
Written by Ali Yasin Jatoi
Founder of WebCare Studios. Ali has worked with WordPress for more than 10 years, including managing a fleet of 150+ sites with WP-CLI automation for updates, security cleanup, and malware removal. He has hands on experience across major hosts including Cloudways, A2 Hosting, Hostinger, and Bluehost.
Site down, hacked, or broken checkout gets a senior engineer within 4 hours. No ticket queues, no bots.
Flat quote up front. If we cannot get you back online, you do not pay. Risk sits with us, not you.
We work on a snapshot first and never touch your live database until the fix is verified safe.
We run a fleet of WordPress sites every day. The errors you are seeing are ones we have closed hundreds of times.
Not always. A correct fleet cleanup plus hardened permissions is often enough. We recommend isolated accounts or VPS only when the same client keeps getting reinfected, or for ecommerce and high traffic sites.
Yes, briefly. The cleanup window is usually a few hours per site. We schedule it for low traffic periods and use maintenance mode pages so visitors get a clear message.
We monitor for 14 days after cleanup. If no new backdoor files appear and no reinfection triggers, the account is considered stable.
Two fields. Email and your URL. A senior WordPress engineer reads it within minutes and replies on email and WhatsApp with what is wrong and what we will do next.