ernasx

Had same problem for ages. To be exact for 4 months already. Cleaned my sites every 4 days. Total nightmare !
Finally I figured it out.
It doesn’t depend on hosting or on plugins you are using.
Looks like the very first time my websites where hacked via old joomla website. Then they injected tons of files inside (on all websites on sharing account)
They also injected code in WP config, settings and index.php files. Other random files were infected as well. They put fake favicon files, which I was missing in early cleaning stages.
I was looking for solution for ages, but did’t find any proper solution.

I don’t know if my solution is perfect but you can try.

1. Ask you hosting provider to scan your websites for malware and send you infected files list.
2. Try to delete / clean injected files
3. Update wordpress to latest possible version.
4. Update all plugins as well.
5. Check for fake admin users and remove them if present.
6. Install wordfence and do a full scan. Restore injected files and delete all fake files.
7. Install Anti-Malware from GOTMLS.NET and scan all files. Review all files especially php and favicon ones. Delete or clean infected.
8. Leave only one FTP account and change password. Or change for all FTP accounts.
9. Change cpanel password.
10. I made files index.php, settings.php and config.php 444 permission.

Monitor your websites constantly with wordfence. It can tell you when it is hacked. I could not figure out exact date and which website was hacked. But this solution looks like helps a bit.