Once a WordPress site has been defaced by hackers, embedded malware, or infected with a virus, the site may be repeatedly defaced even after you think you have removed the malware. We will explain how to deal with such cases.

Reasons for repeated tampering by hackers 1. Administrator’s password is leaked.

Once WordPress has been hacked, the administrator password may have already been breached. Once the WordPress administrator privileges are taken, the hacker will be able to install and rewrite any file on the server.

What to do

If you have been hacked, we recommend that you change all of your WordPress administrator passwords once.

Reason #2 for repeated hacker tampering: Vulnerable files are left untouched.

About 50% of the time when hackers deface a site, they take advantage of vulnerabilities in WordPress itself or in plugins. Even if the site is cleaned up, if these vulnerabilities are left untouched, the site will be hacked again from those vulnerabilities.

What to do

Make sure you have the latest versions of WordPress, themes, and plugins, and remove any unused plugins.

Reason for repeated tampering by hackers 3 Embedded backdoors

A backdoor is a program file that serves as an entry point for a site to be defaced. Once a site has been defaced, this backdoor may have been written or embedded somewhere on the site.
Check for backdoors by using a malware scanner or other tool that can detect WordPress backdoors.

Reference
Free WordPress:Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].

Reason for repeated hacker tampering4 Direct database access

Is there a database connection program such as PHPMYADMIN that can modify the database installed at the same time on the server where WordPress is located?
Hackers may have already obtained the database connection information by retrieving the wp-config.php file of the WordPress site that was successfully hacked. If the database connection information has been taken, and if PHPMYADMIN is on the server, the hacker can rewrite the database anytime he/she wants.

Being able to rewrite the database also means being able to log in as a WordPress administrator.

What to do

Change the database password and rewrite the connection information in the wp-config.php file. If you have PHPMYADMIN, we recommend that you rename or delete it to a folder name that is less confusing.

Reason for repeated hacker tampering: hijacking of root privileges

If the WordPress site is located on a server that also grants root privileges to users, such as a VPS, AWS, or dedicated server, it is possible, but rare, that a hacker could issue commands via PHP to manipulate the server itself and take root or near-root privileges to the entire server. In this case, the safest course of action would be to use a server that has been compromised.
In this case, the safest way would be to reinstall the server itself, but since VPS, AWS, and dedicated servers require consideration of the security of the server itself, we recommend that you use a shared server since WordPress is designed to operate well on shared servers. We recommend that you use a shared server for WordPress.