I have single cPanel account from my hosting company, in which I have 14 websites (added as add-on domains and install in separate folders). They are all light traffic, like, under 50 visits per day.
After the "Coming Soon Page" plugin by SeedProd vulnerability, few of my websites got infected by malware, which I manually cleaned and updated plugin. I always keep my websites up to date even before this, latest version of WP and themes along with plugins.
Now form the past few months, I've this malware just showing up on some of my websites, and it can install itself to other websites as well. Like I have "websites/web1", "websites/web2"…, if it got to web1, it'd get to all other websites as well.
I see it install a "WP File Manager" plugin, sometimes a gebrish named plugin and theme as well.
I installed Wordfence couple of months ago, after this same malware got to all of my websites. I scanned all websites, cleaned up any modified files. But this malware just shows up randomly again and again.
Now when it hits again, it corrupts the WP, which shows error on website's home. I overwrite WP install with latest files, and website starts working again, then I go to Wordfence and scan, this is how it looks:
I have enabled 2FA on cPanel login, all websites admins have randomly generated strong passwords, all of them are updated (WP, theme, plugins), there's no FTP account set, I am the only admin, no webdisk / webdav, SSH is also off.
How I can get is fixed permanently?
first search sql for script next delete it and the files present. immunify360 if you dont want to do manually
Malware remnants could be hiding in any one of your sites, since cPanel doesn’t do “pooling”, all sites are in a single bucket, controlled by a single system user – it’s not ideal.
Also, you may be running a plugin with a vulnerability on one or more of the sites. Anything that hasn’t received an update in 9 months or more needs to be removed/replaced.