If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware.
In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site.


What is a back door?

A backdoor is a program that is illegally embedded in a site and serves as a starting point for hackers to deface the site.
Hackers can access this file via the Internet to deface the site as many times as they wish.

Backdoors are often difficult to find because they are embedded deep within the site, the code is obfuscated, or they are hidden in other files such as ico files.

How to find hidden malware (tampering) and backdoors in WordPress

The easiest way to find hidden malware (including tampering, backdoors, and viruses) is to use a malware scanner plug-in.

We recommend that you scan your site with the WordPress Doctor malware scanner plugin, which has been used to scan and remove malware from over 30,000 sites as of 2022.

Free WordPress:Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].

Files susceptible to WordPress malware infection

There are also certain files that are very susceptible to WordPress backdoors and malware.
We recommend that you also investigate this by visual inspection.

Infection of files that are executed whenever someone visits the site

WordPress has a file that is executed every time someone visits the site. Hackers may embed malicious code here to automatically restore malware by embedding a backdoor or malicious code for re-infection.

wp-config.php
index.php

contained in the theme file
index.php
header.php
footer.php
functions.php
single.php
page.php

Malware disguised as common WordPress files

Malicious code may be installed with a name that looks exactly like a common program name included in WordPress.

wp-signups.php
wp-plain.php
wp-conflg.php
xmIrpc.php
setup-config.php
wp-includes.php

etc.

Randomly named PHP files

Hackers often embed malware files with random, meaningless strings of characters in their file names. If such a file is included in the core WordPress files, you may suspect it is malware.

1dyrU7.php
hU67jl.php

etc.

HTACCESS file

The HTACCESS file is a configuration file at the top of the WordPress installation directory that contains permalink settings and other information.
It is very common for this file to be tampered with, disabling many of the features of the administration panel.

Reference
HTACCESS and Index.php files that are instantly tampered with again in WordPress